Printer redirection is disabled by default for all citrix users on home office
Allowing home office printing requires Managing Director approval
This is done by creating a Citrix policy by Citrix System Administrators
Use following template for Managing Director Approval
Replace @user and @Managing Director accordingly
Dear @user,
@Managing Director needs to approve your request so that you can print from home.
By approving @Managing Director accepts that sensitive information will be copied out to an environment we don’t control, and we will have no visibility over what happens to the print outs, and accept the risk of any exposure in that way (i.e., lost papers, papers not shredded before disposal, papers exposed to other members of the household). If needed, he can consult with Legal on any GDPR impacts.
Also @user will be responsible for:
the security of her home network where other devices may have access to the same printer (and any residual data on the device).
ensuring the security of the print outs
transporting the printouts securely
proper disposal of any discarded printouts. Per policy these should be shredded.
Whenever @Managing Director approves then we can proceed.
On the Login page please enter the login details as explained below:
Field
Value
User Name
Same as for your Vistra office computer
Password
Same as for your Vistra office computer
PASSCODE
6-digit passcode from the SafeNet MobilePass app followed by the 4-digit PIN
You are now logged into Vistra Citrix environment. Depending on the access you have been given, you may see one or more icons which you can open to access your desktop environment. Simply click on the desktop you want to connect to and launch the application.
On the Login page please enter the login details as explained below: User name: This is the same username you use to login to your Vistra office computer Password: The same password used to login at the office. PASSCODE: This is the 6-digit passcode from the SafeNet MobilePass app followed by the 4-digit PIN that you set during the setup of the app. EG: 8797481234 (no spaces)
You are now logged into Vistra Citrix environment. Depending on the access you have been given, you may see one or more icons which you can open to access your desktop environment. Simply click on the desktop you want to connect to and launch the application.
Worksite or iManage TAB is missing from the outlook
Instructions
Open outlook
Go to File > Options >Add-ins
Change to Disabled items > Enable iManage FileSite and EMM
Go to Add-ins once more > COM Add-in > iManage > Enable the addin
restart Outlook
If the Worksite tab is still missing add the registry key under location: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Interwoven\WorkSite\8.0\EMM\FilingToolbar] - "InstallHook"=dword:00000000 (attached)
Access to specified folder on worksite is based on security groups.
Locations of security groups in AD can be found with following Powershell script:
# Get all adgroups with name starting with "DM*" $groups = get-adgroup -filter {name -like "DM*"} # Select base path from each group by # 1. splitting by comma # 2. skipping first element (group name) # 3. joining paths again # 4. selecting only unique elements: $groups | foreach {(($_ -split ',') | skip 1) -join ','} | select -Unique | Out-GridView -Title "DM Security group OUs"
iManage Work (formerly iManage WorkSite), is iManage's core document and email management software. It's a system to store, organize and manage documents, emails and related content.
Worksite is used as an addin to Microsoft Office package, and to Nuance PDF.
All the documents are then stored on DM server based on location. ex. server AMSSRVDM001
When the Wildcard SSL is renewed and installed on the on-prem exchange servers around the group, it should update the Send / Receive Connectors to use the new SSL. On occasion due to a Microsoft Bug, the Send / Receive connectors remain using the old SSL which when expires will then cause email flow issues between O365 and on-prem via the Hybrid connector.
To resolve this, login to HKGSRVEXC001 or HKGSRVEXC002 (Hybrid servers)
************************************Send Connector*********************************************** Open Exchange Powershell and run Get-ExchangeCertificate to get new certificate thumbprint
Run the following command, updating the Thumbprint to the one captured above: $Cert = Get-ExchangeCertificate -Thumbprint 27B1831971ED6DA5DA9EFFA257D3EBF2E8A2CF42
Run the following command: $TLSCert = (`<I>'+$cert.issuer+'<S>'+$cert.subject)
Run the following command: Set-SendConnector -Identity "Outbound to Office 365" -TLSCertificateName $TLSCert
************************************Receive Connector*********************************************** Open Exchange Powershell and run Get-ExchangeCertificate to get new certificate thumbprint
Run the following command, updating the Thumbprint to the one captured above: $Cert = Get-ExchangeCertificate -Thumbprint 27B1831971ED6DA5DA9EFFA257D3EBF2E8A2CF42
Run the following command: $TLSCert = (`<I>'+$cert.issuer+'<S>'+$cert.subject)
Run the following command: Set-ReceiveConnector -Identity "Outbound to Office 365" -TLSCertificateName $TLSCert
Log on using your email address and the passcode+pin from the MobilePass app.
Go to the Assignment tab
Here you can search for the user via several ways (User ID(login), email address, etc).
Click on username
Go to the Authentication Methods if it is not already open.
Here, please click on Provision, select MobilePass Token, and click on ProvisionAfter this, the user should receive an email from SafeNet within the next five minutes with guide on how to enrol token.
⚠️ Warning!
Note that if they already have a token, a new one may not be required to be sent. Please verify with the user if they have an active MobilePass app on their mobile phone that they are using
Never have more than one token assigned to a single user, as every token we assign will cost an extra license.
How to add and modify LDAP connectors - source of User Database and other settings
Instructions
Step by step:
Choose Connections → LDAP from left menu
List of created LDAP connections is displayed - each connector for separate OU
New connector is created by clicking an icon in top right corner:
Create new connector based on other ones, checking settings in each tab, as follows:
General tab Name: connector name uniflowServer: WAWSRVPRN001 LDAP Server Name: current domain controller Username & Password: credentials to read LDAP data Test connection to LDAP button: tests connection but errors are still possible if OK is returned LDAP Directory (…): User OU LDAP Browser button: Displays LDAP connection results - best for connection setup testing Optional LDAP Filter (…): Filter LDAP results to include only Users Example:
Field scheme tab: Field import scheme has to be set up to Active Directory: Data type is Users Choose ActiveDirectory from Field Scheme list Click Load! and then Save buttons.
Modify PERSONALFOLDER field, to include \!SCAN folder in the path: Current path is \\10.10.10.33\homedir$\{sAMAccountName}\!SCAN
Budget settings tab Those settings are not yet in use, can be left with no monitoring.
Click save button at the bottom of the screen
Browse back to Connections → LDAP and click Save if below window is displayed
Test connection setup by both Test connection and LDAP browser buttons
Make sure to apply all settings, especially import ActiveDirectory scheme
Check if saved settings were applied
Be aware that settings are not synced automatically when Connection is created
Print & Scan - Uniflow - How to export Uniflow database
Type ip address of the printer in search bar on the web browser
Log in on the printer’s website using Administrator account if required All of below examples can depend on how old the printer is and if it’s been updated Canon printer configured for uniiFLOW login page:
Canon printer not in uniFLOW log in page:
Ricoh web page
HP
Xerox
There are printers that wont ask for password during entering the web page but instead they will require admin password to save changes. Example of the printer: http://10.13.30.2/scanpc.asp?Lang=en-us
Not all of the printers are protected with password
Script to list all printers configured on print servers
#Paths to csv source and output files
$basepath = 'C:\tmp\'
$outputCsvPath = "$basepath\Printers.csv"
#Get all servers name and ip from specyfied OU
$servers = Get-ADComputer -SearchBase "OU=Servers,OU=CEE,OU=Vistra,DC=work,DC=local" -Filter * -Properties * | select name, @{label=’IP’;expression={$_.IPv4Address}}
# uncomment to dispaly chosen servers
#$Servers | Out-GridView
# initialize empty table to store printer info
$printers = @()
# iterate through chosen print servers
for ($i = 0; $i -lt $servers.Count; $i++)
{
# list all printer ports on the server
# this is done to match WSD ports of printers and get their IP addresses
$ports = Get-PrinterPort -ComputerName $servers[$i].IP | Select @{label=’IpAddress’;expression={($_.DeviceURL -split "/")[2]}}, name
# store printer list gathered from server in temporary variable
# add IpAddress field (@{label ...}) to each entry in 'Select' and populate with empty string "" - to be filled in next steps
# select only needed properties, in desired order
$tempPrinters = get-printer -ComputerName $servers[$i].IP | Select 'Name',@{label=’IpAddress’;expression={""}},'PortName','ShareName','PrinterState','PrintProcessor','DriverName','ComputerName','Location','Comment','JobCount'
# iterate through printer list extracted from current print server
foreach ($printer in $tempPrinters) {
# if port is a WSD port
if ($printer.Portname -match "WSD-*"){
# Match WSD port on port list with port on printer and get corresponding IP address from port list
# expand-property to output string only and not an object
$printer.IpAddress = $ports | ? {$_.Name -eq $printer.Portname} |select -ExpandProperty IpAddress
}
# if port starts with a digit (expected values are in #.#.#.# or #.#.#.#_# format)
elseif ($printer.portname[0] -match "\d"){
# select only IP Address by splitting portname on '_' and selecting first part
$printer.IpAddress = $printer.PortName.split("_")[0]
}
# do not match other conditions
# add printer info to printer list
$printers += $printer
}
# Write progress bar based on number of print servers already processed
Write-Progress -Activity "Getting printer info" -PercentComplete ($i/$Servers.count*100);
}
# display exported printes in Grid View
$printers | Out-GridView
# export printer list to CSV and override previous entry
$printers | export-csv -Path $outputCsvPath -Delimiter ";" -NoTypeInformation -Force
# open the created CSV file (should open in Excel if installed)
start $outputCsvPath
Output is exported to CSV file
WSD ports on printers are matched to corresponding IPs based on Printer Ports extracted from server
Add printer windows explorer > \\luxsrvprn01 (file:////luxsrvprn01) alebo \\luxsrvprn02 (file:////luxsrvprn02) ( for dymo ) Configuration IP address to the web browser > configuration > name as ( for example LUXDYMO01 ) > default gateway is the same as IP address with 1 in the end
Print & Scan - Luxembourg - Printers - How to delete print jobs from print queue
login to prn01 server > start > administrative tools > print management > print servers > printers > right click on the printer > open printer queue > highlight the user > right click and cancel
go to http://10.51.20.10 > scan tab > email address book and add reception users then go to Default SMTP configuration and set up as follow: If you do not know the SMTP server you can use CMD and type ping luxdag001
Print & Scan - Uniflow - How to setup price profile
To connect to MicroMind device you have to know the ip address of the device.
Connect power source to micromind device and ethernet cable to it
Connect the ethernet cable to the laptop/desktop.
Change the ethernet options (gateway, dns, similar ip address) on the machine that you connected the micromind device to. They have to be similar. In our case Micromind devices had the same ip’s as the printer iwas connected to - 10.10.2.X and the Subnet mask was 255.255.0.0. Gateway and DNS are not required in this case.
If ip is unknown and device is not set to dhcp (to check go to dhcp server and use “arp -a” command in cmd), then you have to scan the network using 3rd party programs for scanning to find the ip address.
Go to control pannel > change View by: to category > Programs > Programs and Features > from the left pane choose Turn Windows features on or off > find Telnet client (or server - I turned both of them on).
Type the micromind ip address in the browser. The following address should appear with the device information. http://<micromind.ip.address>/mind.shtml
If DHCP is set to no go to cmd and type “telnet <IP-address of the microMIND V2> 53215”
Type username and password from password manager
WARNING! Anything we are writing now will not be visible. Type RESETFACTORY and press enter. WAIT till you see “Done!”. Now restart the micromind. It will be now configured to get an address from dhcp.
Go to DHCP server (for warsaw actuall is WAWSRVDC004) and then make an reservation for the MicroMind Device. MAC address is build from 2 things - vendor id for the micromind device which is always the same 743256 and the serial number. Examble below:
In this example MAC address will be 743256104921. Now make an reservation on dhcp server and reset the micromind
Revert the ip from static back to dhcp on the workstation and connect it to the internet.
Conect Micromind to the network and wait till the second diode will be in constant red color. That means that micromind catched the ip address.
In the field connect to Server IP only type the uniflow server address (in our case 10.10.10.120)
Go to print server (WAWSRVPRN001) and to the uniflow configuration. Proceed to Connections > Agents / Terminals
Then expand the MIND & microMIND list > Network Configuration. Now type the ip address of the micromind > click add > Update > save
Now micromind is ready and can be connected back to the printer. His right diod should now be Green and ready to work if it’s associeated with the printer in uniflow.
Print & Scan - Uniflow - Card Readers / microMIND - How to check assigned printer
Remote to HKGSRVEXCL001 Note that this server is in the DMZ, meaning your domain account(s) will not work. A local account would need to be created.
Open the “Signature Manager Office O365 Edition console”
Lookup the specific exclaimer configured for the relevant office, for this example we will take Cyprus("Vistra CYP OWA Signature Policy" and "Vistra CYP Outlook Signature Policy").
Edit both OWA and Outlook accordingly to the request. Click on Edit, make your adjustments and save it.
Click on “Yes” so it to be applied to all relevant users.
Close the application to avoid sync conflicts when someone else makes an adjustment to another template.
Steps to take whenever a user has a constant lockout when having their password renewed.
When users change their password, their account keeps getting locked. We found out that these users also require to update their Exclaimer tool credentials.
In the System tray the Exclaimer tool will have an error icon, when the user updates the password, the user will no longer get locked.
If you do see the icon, it means that the synchronization has not yet finished. To avoid being locked out you would need to enter your password manually.
Proceed to click on the icon, this will open a credential request box where you would need to fill in your new password:
- Open an On-Prem 2016 ECP console and login - Click on Recipients / Mailboxes from the Menu - Click the + button and select 'Office 365 Mailbox'
- Fill out the relevant name you want to give the Resource on O365 - Select an OU which synchronises to O365 - Enter a UPN and select @vistra.com in the drop down - Select the Mailbox Type of 'Room Mailbox' - Click Save - This will sync to O365 on the next sync cycle (Every 30 minutes)
Jersey HP Storeeasy Server & Arcserve Backup - 2019 Changes
I have been working with Softcat on installing new disks into our expansion shelf that connects to our backup server, configuring a new RAID set, configuring and creating a new datastore store.
This is all due to us not having the Hash on a SSD drive causing server memory issues along with standard growth causing disk space on the main datastore (D:)
New setup:
Actions completed:
We freed up ~200GB of space on the D:\drive (NewIndexLocation) this will grow to ~1TB
We created a new DataStore with SSD for the Hash (Dedupe) Old DataStore Hash was migrated here Y:\dive)
We created 17 backup plans (Mix of physical and Virtual)
We create reports for success failure and growth
We created SLA reporting for RTO @ 4, 8 & 12 hours
We completed an agent-based install/upgrade
We completed selective BMR Backup plans for the RP server and Hyper-V hosts (to exclude the datastores)
We completed a VM and physical backup test
We completed a granular file level restore from Hyper-V guest, redirected restore and download option recovery
We completed an Instant VM to recover a virtual machine on the Hyper-V with the UDP DataStore as the location
Today I have discovered that when JERSRVOVH001 gets restarted the main 3rd floor UPS loses connectivity with its host (the OVH). Which then triggers a load high pitch sound.
To fix this if I am not here please follow the below:
1. RDP onto JERSRVOVH001
2. Go to Services
3. Restart the below “APC PBE Agent”
4. Go downstairs and unplug the USB from the USB port for 20 seconds then plug it back in:
5. Look on the screen at the front and instead of it showing all in red it will look something like the below:
You can also directly to the UPS via the web interface to check the status if you wanted to:
2) Under C:\Support you will see the 3 application shortcuts that you will need primarily "SPC Manager"
3) SPC Manager is the console installed on the server that links to the SQL Database holding all of the door access user data (SQL Express installed on server - DB name: SPC)
4) Launch SPC Manager
5) Login with: Username: ITAdmin Password: (in password database)
6) You are now connected to the door system as an Admin
7) Click "System" then in the drop down select "Global Users":
8) This will bring you to all the users within the system, click "Add Global User"
9) Enter the users Username in the Username field Enter the users Full Name in the Full Name Field Enable the type of Access the user requires (Default access is "General Staff" which is Monday to Friday 7am till 7pm)
Now you need to attach the door card that will be given to the user to there user profile, Click "Add Card" if its a new card thats not on the system:
Vistra Site Code is "18" Enter the Card Number in the card number field Click "Ok" once the 2 fields are populated
If your re using a card that has been previously been input into the system Click "Select Card"
Select the card you are wanting to assign to the user and Click "Set"
You can now apply this user to the door system by clicking:
NEW USER SETUP COMPLETE
How to remove a user from the system
1) Click "System" then in the drop down select "Global Users":
2) This will bring you to all the users within the system, find the user you which to remove, click on the user and select "Delete selected User":
Click "Yes":
VERY IMPORTANT STEP Leave the default option of "Was a temporary card" selected and Click "Ok"
If you change this to anything different in the list it will clear the card entry and block it from being used again for another user.. i.e the card will be unusable from that point onwards.
Q: Why are bookkeepings archived in the first place?
A: Bookkeepings are archived due to the fact the data is not being used any longer, without archiving the data would only grow causing issues when updating the software. Witharchiving we are able to diminish the time it requires for updating.
Q:Whyisitrequestedtomovebackarchivedbookkeepings?
A: This can be because of multiple reasons, but most likely that someone requires older data.
To move back an archived bookkeeping is not that difficult, but, does require a few steps. First, we need to understand what needs to be moved back. So, within the request we expect 2 things:
1. Bookkeeping/Entity Number
2. Year(s)
If one of the above is missing, we will not be able to process the request.
Each entity or client has its own unique number, it will consist out of 5 digits. Example 19156.
Each entity or client can have multiple years, it will consist out of 2 digits. Example 10 which represents 2010.
For each year a separate folder is created. We call these B folders, simply because they all start with a B. (B would stand for bookkeeping if you were wondering. 😊) Example:
Taking entity 19156, you can see from the above that this entity has 6 folders, from 2010 to 2015.
B = default leading letter for all folders
19156 = entity number (5 digits)
10 = year (2 digits)
Let’s say it is requested to move back years 2015 + 2014 for entity 19156. See below steps to process it accordingly:
1. Login to AMSSRVMILL001
2. Go to N:\Mill7\Comp_Arch and search for the specific folders required
3. Cut them with X and place them within N:\Mill7\Comp
4. Open up Millogic from your own desktop(never from the server!)
5. Click on F4 when seeing the following window:
Which would give you the following window:
6. Click on “Refresh”, this will check the root folder for any changes, basically updating the B folders list. (This can take a few minutes)
7. Cick on “Yes” when receiving the following popup (This can take a few minutes)
8. Due to archiving, the specific years placed back will lose its editing rights. We will need to know to which access group the user is assigned to. Let’s take Krishan Saharan in this case 😊
9. Go to Supervisor > Users > Maintenance
10. Proceed with Ctrl+Fand search the name of the requester.
11. We only care about the access rights as marked below, he is in group 200:
12. Go to Supervisor > Users > Rights
13. Change the “Group” to in this case 200 and select the “Client bookkeepings” tab:
14. Fill in the relevant entity number:
From the above you can now see that 2015 and 2014 are included but there are no rights assigned. Whatever you do, do not click on “Open All – On" or “Change All – On", this will give rights to ALL entities which should not be the case.
15. Simply tick both “Open” and “Change” for both years:
16. You are good to go! Inform the requester by ticket, include also Robert Tagg, Iyad Tabashi and Jonathan de Vries within the communication.
Jersey Reception use a different piece of software (Cisco Unified Attendant Console) to all the other staff (Cisco Jabber).
They launch the software from a shortcut in there start menu and it should auto log them in using Single Sign On Authentication.. if this fails and you see the below error response message this means that the Cisco Jersey UC (phone system) has lost its connection to the Amsterdam ADFS server (AMSSRVADFS001) so authentication fails and refers to IDP.
FIX: Ask someone with access to reboot (AMSSRVADFS001) - This is fine to do in the day Ask reception to log off and log back in to then re test authentication
Note: If reception are not logged into the Cisco Unified Attendant Console no calls will come through to the main reception (01534 504700).
Cisco Unified Communications Administration Guide - New Starters
Cisco Unified Communications Administration Guide New Starters (Vistra Jersey)
New Starter Procedure
For the self-provisioning procedure to work, there are a number of template setup in Unified Call Manager (UCM) that get applied to the user when imported from LDAP. To make the user available for import to UCM and UCX the following procedure needs to be followed:
Find a spare DDI on the DDI spreadsheet (\\work.local\itsupport\IT Support - Europe\Offices\Jersey\Telephony)
Add the full +E164 number to the users Telephone field in AD:
Add the 4-digit extension to the users ipPhone filed in AD:
Once these fields are populated and the LDAP sync happens the user will be created in UCM with all the proper settings, permissions and the correct Directory Number (DN). The phone system syncs with AD via LDAP once a day but if you are in a rush to get the user in the system you can run a manual sync, Browse to the call manager: https://jersrvcucm001.work.local/ccmadmin
Pick the OU that the new user is in (For example):
Click “Perform Full Sync Now”
Syncing them into the phone system will allow the self-provisioning process to work. Once a desk phone is plugged in to the network, it will auto register to the system and if available a speed dial will be available to dial the self-provisioning IVR. If no button is available, 2000100 can be dialed to reach the IVR.
The same import process happens for Unity Connection Voicemail (UCX). Once the LDAP is synchronized the user will be available for import as described below.
Hover over “Call Routing”, Click “Directory Number”
Click “Find” to see all the directory users:
Find a user that the new starter will be sitting on the same bank of desks as and click on the full telephone number:
Scroll down on the user and make a note of the call forward destination number & the call pickup group that the user is in:
Scroll backup and in the right-hand corner you can then navigate back to the directory list:
Find your user (new starter) and click on their full telephone number:
Scroll down to the “Call Forward and Pickup Settings” section and enter the destination number you made a note of in step 5 (Ensure you enter this in all of the fields below)
Set the “Call Pickup Group” as the pickup group you made a note of in step 5:
When the above changes have been made scroll backup to the top to save the changes:
Hover over “Call Routing”, “Route/Hunt” & click “Line Group”
Click “Find” to see all the Line Groups:
Click on the Line Group that you want to associate with your user.. e.g. in this case “JSY Banking”
You then need to add the new starters extension number to the line group. (Tip: using the “Ctrl F” quick find is handy)
Once you can see the new starters extension number in the “Current Line Group Members” list you can then scroll back to the top and “Save” your amendments:
Final step is to register the user’s extension number with their phone.
Ask Local IT to attend users desk.. dial 2000100 from the phone to enter the self-provisioning, follow the instructions that is read out to you.. (it will ask for the full +E164 number so in this case you would enter 441534504570#.
The phone will then start to provision/register, once the phone has been registered you should see the users telephone number (504570) and full name (Joanna Doyle).
YOUR USER CONFIGURATION & PROVISIONING HAS NOW BEENCOMPLETE!
See below admin training IT Jersey were given post go live of the Cisco phone system roll out by third party vendor Jersey Telecom (JT). Please feel free to refer to this as its we recorded the training: https://chevault.sharefile.com/d-sf8655c848e844e7b
Please note we have been advised by Phoenix that the IDOL services listed below need to be stopped manually prior to the server been rebooted.. this will commonly be when your applying windows updates to the server, meaning windows updates will need to be applied to these servers differently to others.
****************************************
1.Worksite Content Engine (All)
2.Worksite Active Content Engine
3.Worksite IDOL
4.Worksite Active DIH
5.Worksite Ingestion
6.Worksite Connector
7.Worksite SyncTool
*****************************************
If services are not manually stopped prior to reboot and started post reboot: This will possibly cause corrupt content engines and cause searching issues in most cases for workspace searching and document searching post reboot.
Quick and easy way to do this:
1) Run the stop services batch file which can be located under \\SERVERNAME\d\iManage\_stop_services.bat
2) Check that all of the services listed above are stopped in services.msc
3) Run Windows updates and allow GFI to reboot server upon completion of updates
4) Re connect to server post updates installation and reboot
5) Run the start services batch file which can be located under \\SERVERNAME\d\iManage\_start_services.bat
See attached phoenix's document on other iManage servers which they recommend a manual stop and start of services prior to reboot.
Concerns If you have concerns over this Bwalya from phoenix has offered her assistance on checking iManage/Worksite servers post reboot, she can be contacted via the below (preferably prior to the updates being installed so she can put some time aside): bwalya.penza@phoenixbs.com
The Bluecoat connector does not automatically synchronise all user groups from AD to the cloud for use with the policy rules.
To use a group for a policy rule you need to make changes to the LDAP connector configuration.
Connect to AMSSRVDC004 and browse to C:\Program Files (x86)\Blue Coat Systems\BCCAand open bcaa.ini
Enter the Group name under [Groups]
The Web Security Service automatically performs an AD refresh once a week; however, you can manually initiate a sync operation. In Service mode, select Authentication > Users and Groups > Active Directory. Be advised that it might take up to 24 hours for you see the information in your portal. Avoid re-clicking the button more than once in a 24-hour period; doing so might overly clog the sync queue, causing slower results.
If the Exchange Online Mailbox has a linked Mail User Object, this will need to be converted to a Remote Mailbox Object to be able to migrate the mailbox to On-Premise Exchange. If you do not complete this you will receive a message to say:
Cannot find a recipient that has mailbox GUID '2154d73f-e468-4070-be7f-da072811d308'. --> Cannot find a recipient that has mailbox GUID '2154d73f-e468-4070-be7f-da072811d308'.
To convert the Mail User to a Remote Mailbox you will need to complete the following:
Run the following to set the Exchange GUID on the Remote Mailbox object On-Prem (Replace the GUID with the one that you retrieved from Exchange Online):
Run an O365 Directory Sync and allow Exchange Online to sync these changes and you should then be able to migrate a mailbox back from Exchange Online to Exchange On-Prem.
To setup the Migration log, login to Exchange Online, Click on Recipients / Click on the Migration Tab and click Add:
Click Migrate from Exchange Online:
Add the relevant Mailbox(es) that you want to migrate back to Exchange On-Premise and click Next:
Select the environment that you want to migrate the mailbox back to and click Next:
Click Next: Enter a name for the Migration Batch / Target Domain / Target Database Name / Bad & Large Item Limits and click Next:
Select the desired scheduling options and then click New to start the Job:
Dependant on the option selected in the scheduling you may need to select to complete the migration batch after is has synced.
You will then need to amend the Mimecast Routing group for the mailbox so that it delivers to the relevant on-premise email server rather than Exchange Online.
Deploying Cisco Jabber to iPhone or Android Mobile Device - Jersey Cisco UC Phone System
Single Sign on is enabled so you should be brought directly to the home page.
To get started, hover over 'user management' then 'User/Phone Add' and then click 'Quick User/Phone Add':
Step 2:
Search for the user using the filters at the top of the page. First name, Last name etc
1. Chose best fit, i.e First Name; 2. Type in some or all of the name; 3. Press “find” to search; 4. Click on the user you want to add the device to. 5. If need you can add new users here. Local user may be needed for Conference Rooms etc.
Step 3:
Press “Manage Devices”
Step 4:
1. Click “Add New Phone” 2. Chose the correct product type depending on if the user has an iPhone or an Android 3. The Device Protocol should be auto populated but will always be SIP 4. Use the correct naming convention as explained above. The example shows BOT for Android and then the user’s username. (Max of 12 characters), iPhone is TCT then the user's username. 5. N.B. Use the “Jersey-Mobile-Device_UDT” template for iPhone, iPad and Android devices. 6. Add the device.
The device will then show in the list of devices owned by the user. Now the device has been added on the call manager follow the below steps to get the phone enrolled with Cisco Jabber:
Download Cisco Jabber client from the App store or Play store (DO NOT OPEN IT)
When you delete a mailbox, Exchange Online retains the mailbox and all its contents until the deleted mailbox retention period expires, which is 30 days. After 30 days, the mailbox is permanently deleted and can't be recovered. The method for restoring a mailbox depends on whether the mailbox was deleted by deleting the Office 365 user account or removing the Exchange Online license.
For user mailboxes in a hybrid scenario, if the mailbox has been soft-deleted and the Azure active directory user that was associated with the mailbox has been hard-deleted from Azure Active Directory, you can use New-MailboxRestoreRequest to recover the mailbox.
Please see attached user guides for guidance on installing VPM18 on a Citrix Server, VPM certificate issue resolution, VPM 18 Certificate requirements and Adding/Removing Users to VPM 18
In order to enable Autodiscover so you can set up Office365 for external accounts, start Powershell as admin(important: perform this under the user's account!)
2) Click to expand "Settings" then Click "Admin Settings":
3) Click "StorageZones"
4) Click the internal Vistra storage zone "CHEVAULT01":
5) Click "Recover Files":
6) Specify the date you would like to go back to: 7) Tick the box on the whole folder if you want to recover the full folder and Click "Recover":
8) If its just a single file you want to recover then browse into the folder and tick the box next to the file you want to recover and Click "Recover":
There is an initiative being streamlined for the process of on boarding a global client from a compliance perspective. It is an initiative lead by Global Key Account Management, a way that Vistra services a ring-fenced group of priority global clients - ensuring they are supported by the highest level of service through all aspects of their relationship with Vistra. As part of the Global Key Account Management Program, we’ve developed a “Vistra Passport” – a one-time on boarding process for all our Global Key Accounts. With the Vistra Passport, our Global Key Account clients can do business with Vistra anywhere in the world without necessarily have to repeat the same document collection process each time they enter a new jurisdiction.
This initiative is intended to improve the client experience for major clients that are serviced by multiple offices across the Group. IT Support has a key part to play in this and we want to ensure that everyone is fully engaged with the initiative and know what to expect.
To support this initiative, all KYC information will be stored in one central place (Sharefile) with an official due diligence memo on the client on the level of due diligence already completed. The client folders will be shared with compliance team members from different department/division on an as-needed basis. The sharing access will be controlled by Group Compliance (Isabella McLoughlin) but IT Support will provide the access to the specific folder in the first instance.
Global Key Account Manager (GKAM) will raise a case with itsupport@vistra.com like shown below, but going forward they will attach to the ticket a completed "Vistra Sharefile New User Form" if they require a new user to be setup otherwise just a "GKAM Sharefile Approval Form" to state which folder access is required to be granted.
2a) Skip to step 24 if user already exists in Sharefile and just folder permissions access is required. 2b) Download the spreadsheet Vistra Sharefile New User Form attached on the ticket.
8) Click on "Need to import multiple users with Excel?":
9) Click on "Choose File":
10) Browse to the Vistra Sharefile New User Form in your downloads that you downloaded from the ticket, Double click on the file:
11) You will see the file has been uploaded, Click on "Import Users":
12) The User information will then auto insert in the mandatory fields:
13) Scroll down to Step 2 and Click on "Expand All":
**IMPORTANT STEP**
14) You are now adjusting the users general access, ensure that you amend the user access (as shown below) so they only have the below 2 options enabled:
15) Change the Storage Zone from "Public Cloud" to "Private Cloud" (as shown below):
**Folder Permissions** 16) Download the "GKAM Sharefile Approval Form" attached on the service request ticket to find out which folder they would like the user to have access to within the "Global Key Account Management - Vistra Passport" folder. For example:
17) Click "Assign Folders":
18) Expand "Shared Folders":
19) Locate the folder stated within the Access Form, tick the folder and Click "Next: Set Permissions":
20) Click "Create & Continue":
21) Click on "Continue Anyway":
22) Copy the below Notify message into the message box and Click on "Notify":
Dear User,
You have now been setup in Vistra Sharefile.
Please activate your account by clicking the below.
Password: IF YOU SPECIFY A PASSWORD IN STEP 12
Kind Regards, IT Support
23) The user will then receive the below email asking them to activate their account:
24) Browse to the folder upon logging in via "Shared Folders":
25) Once your on the folder tick the folder you want to adjust the permissions on, Click "More" then Click "Add People to Folder":
26) Search for the users name in the address book and Click "Add":
27) The user will then receive an email similar to the below example:
28) Reply back on the service request informing the user that all has been done:
**EXTRA**
If Group Compliance or whoever that submits the service requestwants to know if the user has activated there account yet simply browse to the below area and you will see from there if the user has logged in yet:
See below diagram for the current email routing for Vistra. Please find attached a PDF version and the Visio diagram that can be updated when required.
This document will assist you in the event that a Shared Mailbox is created in cloud (Office365) and needs an on-prem presence to perform tasks such as adding to an AD distribution Group
The process for resolving this is as follows:
·On Exchange 2016 (cumulative update 10 or later versions) run the following command in Powershell:
Synchronise the Account with O365 – This may involve moving the account to an OU that syncs and then waiting for it to happen
If you then add this to Distribution Groups it can take up to an hour from it synchronising to O365 to it appearing in the Distribution Group
Powershell Script to Automate process
Attached is a powershell script and a csv to use if you wish to perform this for multiple mailboxes. For this to run the CSV must be saved in "C:\Powershell\"
The column names are as follows:
name: Display Name
upn: User Principal Name
email: The email address
alias: Mail Alias
O365 / Azure Guest User Invite Fails at Verification
If when you have setup an external person as a Guest User on our O365 / Azure so that they can collaborate with staff in apps such as MS Teams and they are getting the following error when they try to verify their invite, see the below information from Microsoft (From MS Support ticket 119010324000672 regarding the radiusww.com domain)
Hello Jon,
Thank you so much for confirming with Joe. I am happy to hear that the affected users now have their needed access.
Regarding the radiusww.com tenant question - There are a few different things that could have caused this issue and I would have tried a few troubleshooting steps with the admin in order to determine what it could have been. Since then, someone with the needed access to the tenant has made some changes which has rectified the issue, but because this was done without any involvement on our side, I can't definitively determine what the fix was. What I can tell you is one of the more common reasons I have seen, which causes the exact issue the users experienced, has to do with the partner authentication piece.
Collaborate with any partner using their identities
With Azure AD B2B, the partner uses their own identity management solution, so there is no external administrative overhead for your organization.
The partner uses their own identities and credentials; Azure AD is not required.
You don't need to manage external accounts or passwords.
You don't need to sync accounts or manage account lifecycles.
Sincerely,
Scope - We will consider this case resolved when we are able to provide customer with information as to why the specified users are unable to accept the B2B invite.
Per the scoping agreement for the case, it sounds as though the issue is resolved. Please advise if you would like me to archive the case at this time or if you require further assistance within the scope of this case.
The issue was likely one that had to do with the radiusww.com identity management solution for the 2 affected users, but because I never discussed this with an admin to troubleshoot, I cannot confirm definitively. What I do know is that someone made the needed changes to allow the guest invites to authenticate once the users accepted them. I hope you find this information helpful.
Eric Larson Support Engineer v-erlars@microsoft.com Cloud Identity POD Support Customer Services and Support
O365 - Hybrid Free / Busy Information Troubleshooting
As part of the O365 Hybrid setup, on-premise mailboxes are now able to see online mailboxes Free / Busy calendar information and vice-versa.
If this is not working then please check the following (When testing it is best to use Webmail as that will take the changes immediately. The Outlook client can wait for the OAB to update which occurs once a day):
On-Premise Mailbox User cant see Free Busy Information for O365 Mailbox - Open the Mail User object in on-premise exchange for the O365 Mailbox - Confirm that the External Email Address isn't currently set to x.x@ofiz.mail.onmicrosoft.com - Add x.x@ofiz.mail.onmicrosoft.com as an additional Secondary SMTP address on the Mail User (If this isn't there already) - Perform an O365 AD Sync - Check that the Online Mailbox has picked up the x.x@ofiz.mail.onmicrosoft.com address as a secondary SMTP - On the on-premise exchange Mail User object for the Online Mailbox click on the x.x@ofiz.mail.onmicrosoft.com address and click 'Set as External' as below (The Reply address should remain as x.x@vistra.com: - Perform an O365 AD Sync - Free / Busy Calendar information should now be visible for On-Premise Mailbox users to see - When this change is made to change the 'External Email Address', please note that email from on-premise exchange will now use the Hybrid Send Connector which sends to O365 via Hong Kong Exchange:
Online Mailbox (O365) User cant see Free Busy Information for On-Premise Mailbox - Check that the on-premise email server has been rebooted since 24/11/18 (Hybrid Configuration Date), if not run an IISReset on the server (Out of Hours). - Open the Mailbox object in on-premise exchange - Add x.x@ofiz.mail.onmicrosoft.com as an additional Secondary SMTP address on the mailbox (If this isn't there already) - Perform an O365 AD Sync - Free / Busy Calendar information should now be visible for Online Mailbox (O365) users to see
Connect to BVISRVOVH001 or BVISRVOVH002 and browse to ControllerA: 10.23.1.10 (user/pw in pw manager) ControllerB: 10.23.1.20 (user/pw in pw manager)
Go to volumes -> action -> create virtual volumes
3. Specify volume name and set the sizes, click ok
4. Go to mapping -> action -> map
5. Select All Initiators and mark the volume you created and click map. Make sure you select all ports and click OK.
6. Go back to the OVH and open MPIO -> Discover Multi-paths -> and click add
7. A reboot is required, there is no need to reboot, click no.
8. The disk is now added in disk management
9. Configure the disk as cluster shared volume. Right click on the volume -> online -> initialize disk -> click OK -> New simple volume -> Next -> Next -> Do not assign a drive letter or drive path -> Give the preferred name
10. Add disk as cluster shared volume. Open Failover cluster manager -> Add disk -> (You will see the disk) -> Ok -> Rename the disk -> Right click - add to cluster shared volume -> Rename the volume on C:\ClusterStorage.
Please use this guide for new starters that will join a non-integrated office.
For example they have their own IT dep to provide windows account on their local hardware. In this case they will only need an O365 account to be able to email as Vistra.
1. Arrange the appropriate starter forms and put it to a shared location (from example on the ITsupport share, starters/leavers)
2. Create user in AD (make sure you use the correct naming conversion)
3. Fill in all user details (compare with other similar users and functions) + add email address etc
4. Add the security groups needed, for example:
Email - All Staff Vistra DXB MGW - O365
5. Wait for O365 to synchronize the account
6. Create mail user in Exchange 2010 (select existing user)
7. Create the mailbox on O365 portal for this new starter + assign licenses
8. Setup Outlook etc on the users PC
9. Reset password and provide to HR person that requested the new starter
10. Refer to attached (ChangePassword - O365.pdf) document and sent to HR person, so they can reset their Vistra password
To Enable the O365 Windows 10 Password Reset from Login screen the following Pre-requisites need to be met:
- The Users PC needs to be Windows 10 version 1803 or higher - The User needs to have an Azure Active Directory Premium P1 license assigned (Automatic if they have an O365 Exchange Online Mailbox via dynamic license group) - The User needs to have enrolled an MFA method (https://aka.ms/MFASetup) - The User needs to be added to the following Azure AD group: Security – AD Azure - Global - Self Service Password Reset - In Cloud - Members - The PC needs to have the following Group Policy Applied to it:
When the above conditions are met, the staff member will then get the option to 'Reset Password' from the login screen:
Select the Reset password link to open up the Self Service Password Reset experience at the sign-in screen
Confirm your email address and select Next. Select and confirm a contact method for verification
On the Create a new password page, enter a new password, confirm your password, and then select Next.
When you see the message Your password has been reset, select Finish.
O365 - How to Migrate a Mailbox from On-Premise to Exchange Online
- Download the below regkey - Close all office programs - Double click on the reg key so it inserts on the users profile - Re launch Office and you will no longer get the above hung password prompt box
This guide provides information on the Standard Vistra O365 deployment.
This comprises of three key areas:
Installation Package
Configuration.xml
Deployment Script
This guide does not include information of third party apps such as worksite deployment and Outlook add-ins which you may need to build in to your deployments.
Installation Package
We have created a standard customized package and config file which is located on Sharefile
Save this into your local application delpyment share such as sources$ directory:(Example: \\jersrvfs001\sources$\O365ProPlus)
Note: Please refer to the READ ME file for the current build and version info
Overview of Configuration.xml
The below xml specifies the source location of the installation files, this UNC path needs to be updated per site\region. It also dictates which applications are installed as part of the installation.
Note: The below Vistra standard XML file includes Visio & MS Project
Please see below items that should be considered for a rebrand of an acquisition. All acquisitions vary so this is a general guide of items to consider.
Domains Com Laude Get a list of all of the acquired companies domains. Work with James Nunn (james.nunn@comlaude.com) from Com Laude to move these across to our control.
Email Address Export and Mapping to @vistra.com Export all email addressed from the acquired companies email environment
If exchange then you can use the following powershell: Get-Recipient -Resultsize unlimited | Select Name, RecipientType, PrimarySmtpAddress, ExternalEmailAddress, @{L="EmailAddresses";E={$_.EmailAddresses | ? {$_.PrefixString -ceq "smtp"} | % {$_.SmtpAddress}}}, OrganizationalUnit | Export-csv c:\Exports\AllEmailAddress03-12-18.csv
Mimecast - Route Acquired Domain Inbound via Mimecast Create wildcard Delivery Route for acquired companies domain to route at their current Email environment Add Domain as Internal on Mimecast (Requires TXT Record to be created) Validate domains as internal and accept all addresses / no anti-spoofing policies Create a Greylisting Policy Exclusion Add all email addresses to a Mimecast Profile Group Setup Content Examination Rule to hold all email coming in and apply to the Profile Group Change MX records to (Both with priority of 10 to enable round robin):
Mimecast - Route Acquired Domain Outbound via Mimecast Identify the EGRESS IP for the acquired companies mail service (Not required if they are on O365) Email Mimecast Support (support@mimecast.com) to request for the EGRESS IP to be added as an authorised outbound IP address. You will need to confirm with them that this is a dedicated IP and that is it not shared with any other companies. If shared with another company then it needs to go onto Mimecast's Shared Services platform.
Determine Email Ingestion Method Skykick (Perspicuity) - O365 Ingestion from another O365 Tenant Simply Migrate (Jon / Miguel / Ambrus) - O365 Ingestion from PST's Exchange Import - On-Premise Mailbox
Mimecast - Rebrand to @vistra.com If the mailboxes will be in O365, create Mail Users on-premise for all of the new staff Create an AD group for email routing and add all of the Mail Users created in the last step(i.e Email - All Staff Vistra DUB MGW - O365) Setup Azure AD Sync if created a new OU (https://itsupport.vistra.com/hc/en-gb/articles/115005205385-Group-O365-Synced-OU-s-in-work-local-how-to-add-an-additional-OU) Create Delivery Route for the AD Group above to route to the relevant Exchange environment
Pre-seed mailboxes If an O365 tenant migration then AD connect needs to be disabled 72 hours prior to migration to release the domain. At this point the mailboxes will be in-cloud mailboxes. If an O365 tenant migration then the O365 Groups need to be deleted prior to the migration to release the domain. Enable Mimecast Delivery Route Pause (Scheduled) Enable Mimecast Content Examination Hold Initiate last sync of mailboxes Add the acquired companies email addresses to the Mail Users Run an Directory Sync on Mimecast to check that the acquired companies email address are alias mapping to the new @vistra.com addresses If an O365 tenant migration then remove domains from old tenant Change Delivery Route on Mimecast for the acquired companies domain to the new destination Change Delivery Route on Mimecast for the AD Group with Mail Users in to the new destination Send Test Emails in to each address from Gmail Release test emails from Hold Queue Recalculate Delivery Route for the test emails from the Delivery Queue Un-Pause delivery Route Check O365 / On-premise Mail Trace to see that the emails have delivered to the mailboxes Pause Delivery Route Release all remaining Emails from hold queue Recalculate Delivery Route for emails from the Delivery Queue Un-Pause delivery Route Allow free flow by disabling the Content Examination Rule Check email flow from / to O365 mailbox on the client side
Outlook Agent to switch Profile Please refer to attached guides:
-Deploying the Outlook Assistant via Group Policy This tool will only be used in case of a migration via Perspicuity.
-Configuring the Outlook profile manually "ConfigreOutlook - O365" This guide can be used in case some of the agents did not worked.
Exclaimer The O365 will need to be setup via the our on-prem O365 Exclaimer tool. This need to be done via hkgsrvdc05 -> 172.16.220.20 (DMZ server) Create a new policy, please make sure you do not create duplicates.
Once created, deploy the Exclaimer agents to the workstations. Please use this link
O365 Mailbox MFA Method Enrolment
Advise the staff to enrol for MFA by carrying out these steps: Launch URL https://aka.ms/MFASetup Login using your work email and password Complete the security verification form
Open the MSO_Check.ps1 file and amend the paths to the one you created above and also the new file names for the MSI files:
Grant Domain Computers modify access to \\PATHABOVE\Mimecast\Logs to allow computers to write back a log file.
Create a GPO to run the batch file at startup:
Staff also need to be part of this group ‘Security - Global Mimecast MSO users’ either individually or as part of the office Security Group. Being part of this group enables the application profile which allows the Mimecast Toolbar to connect.
Enter your @vistra.com email address and the Catpcha code and click next: Select one of their MFA methods that they setup earlier and verify: Enter a new password and confirm this: You should then get confirmation that your password has been reset: You will also receive an email to confirm your password reset:
1. Check if the Vm is part of the Hyer Visor(s). 2. Update the Hyper Visor(s) and RPS with this account svczrhbackup 3. Add account to the following groups on the Hyper Visor: 3.1 Local admin 3.2 Backup Operators 4. Add account to the following Local Security Policies: 4.1 Act as an Operating System 4.2 Allow log on locally 4.3 Log on as a batch 4.4 Log on as a service 5. UAC disabled both on the RPS server and Hyper Visor(s). 6. Enable LUA from the registry, set it to '0' Then reboot the server.
See attached guide on how to allocate / re-allocate Citrix licenses.
If a Citrix License server has run out of licenses you can restart the Citrix License service which will give you 5 minutes to get staff logged in whilst it re-counts. You can repeat this process until you have all of the staff logged in. This will then allow you the time to generate the new license file and apply it to the server.
Q1 2018 - Quarterly Task T9 - Check AutoLoader and Tape Drives for new Firmware
The member of staff completing this will need access to the ECAT Softcat Portal (List below as of September 2018). If you have any issues with accessing and you are authorized please contact Jack Scargill -JackSc@softcat.com (Account Manager). There is also a reset password option available on the portal.
Below is an overview of the ‘Major IT Incident Report’ report process.
We have now moved the ‘Major Incident Reporting’ to the O365 Team ‘IT Operations Management Team’ ( click here to access).
The purpose of this report is to document ‘Major IT incidents’. A ‘Major IT Incident’ is defined as a business-critical IT service being unavailable for over one hour during business hours. Once completed a copy of this report needs to be provided to the local office MD, Group Managing Director of Asia, Europe or the US and the CIO. Copies of all reports are also held centrally by Vistra Group IT (Within a Zendesk ticket and also in the reports folder under the team.
We have provided templates for both the report and the incident advisory email.
Note: Archived incident report location: \\work.local\itsupport\Global\Incident Reports - OLD - Now on Teams - IT OPERATIONS MANAGEMENT TEAM
How to Backup Bank Clarity Live & Restore onto BankClarity_LiveSupport
1) RDP to JERSRVBC001 & Open "SQL Server Management Studio":
2) Connect to the below Live Instance & run this job:
3) Stop the "BankClarity_LiveSupport" IIS App Pool
4) Connect to the below Test Instance & run this job:
5) Start the "BankClarity_LiveSupport" IIS App Pool:
Advise Melissa Maakestad once this restore has been complete so BankClarity can then connect in and check the BankClarity_LiveSupport to investigate whichever issue there looking into.
We had a case today where there were two email contacts with external email addresses added to a distribution group and Mimecast was bouncing them due to it being an External Sender to External Recipient which is blocked by default as a relay attempt. This is due to the change in Outbound routing direct to Mimecast from Exchange as previously we were only routing emails from @vistra.com out to Mimecast on the Mailmarshal servers and these emails to external distribution group members would have gone directly out from Mailmarshal.
External Sender -> Mimecast -> On-Prem Exchange Distribution Group -> Mimecast (Now to external recipient in distribution group)
If your teams identify any external recipients of distribution groups then they can be added to the following Profile Group on Mimecast which will permit the traffic:
This is restricted down so that the emails have to have gone through our email servers and can just be relayed directly from and external party to one of those external recipients:
Screening Deployed is mainly used in Compliance departments. The data is saved on XXXSRVSD### servers and the client is either located on Citrix servers or locally on the some of the machines.
Client SETUP
To setup a new pc you need to install the client and create a SQL ODBC
Install MSI from \\jersrvfs001\sources$\ScreeningDeployed5.6_32 and select Client in the wizard
Open DBDescribe.xe from c:\Program Files (x86)\Screening Deployed and ask the senior of the team for the right settings.
-Database name: TMS5 -User: sa (sql instance) -Pass: ask the senior member of the team
ODBC SETUP
Depending on the machine run:
(x86) C:\windows\system32\odbcad32
(x64) C:\windows\sysWOW64\odbcad32
if connection missing create new user DSN DATA Source > Select SQL Server with the following connection strings: - Name: JERTMS5 - Description: Jersey Screening Deployed - Server: JERSRVSD01\JERSD - SQL username: jersdws - Password: password manager
change default database to TMS5
enable use ANSI quoted identifiers and ANS nulls, paddings, and warnings
test the connection in the end.
Create secure connection (if the application is not working)
1. Open C:\program files (x86)\screening deployed -> DBDescribe.exe
2. Fill in all of the settings as below:
DSN: JERTMS5 (Or the relevant data source name for the jurisdictions SD) DST: SQL Server Schema: dbo Owner ID: sa Owner Password : SA Password for the Screening Deployed SQL DB
testing software
Open Investigator application: ("C:\Program Files (x86)\Screening Deployed\investigator.exe) – 64bit PC ("C:\Program Files\Screening Deployed\investigator.exe) – 32 bit PC
Old Infrastructure (still connected to jordans.local) is still active and will remain active for the next week incase there is a need for roll back or any form of restoration.
We have commissioned a local domain controller in the office which is hosted on this VM host.
IP details
SYCSRVDC001 – 10.119.10.110
Seychelles AD Site
User Environment:
Local PC Roaming Profile Path: \\SYCSRVDC001\sycprofiles$
Local PC Start Menu Redirection Path: \\Jordanssey\TSMRedirections$
Home Drive for both workstations and citrix: \\jordanssey\sycusers$
Seychelles Office has been setup with a local citrix farm (SYCFARM01) which has 1 Xenapp Server; SYCSRVCTX01
SYCSRVDC001 is setup as EPO SA and Repository servers and getting policies and updates from AMSSRVEPO001. All desktop have been deployed with the Mcafee products
Business Applications:
Navision – Main CRM, Billing. This is the main business application used by Seychelles. (K3 Support is active)
O365 Pro Plus
Emails and Signatures:
Vistra Seychelles mailboxes are in Vistra O365 tenant.
A GPO has been created to do an autodiscover XML redirection for O365 autodiscover to work within the vistra network.
Signature are generated thru Exclaimer O365 Signature manager than is install in HKGSRVEXCL01 (172.16.220.20). A GPO has been configured to install the Exclaimer Update Agent on all PC's and citrix servers.
MappedDrives:
I:\\JordansSEY\Jordans
W:\\jordanssey\workshare
Y:\\jordanssey\Sertussey
Z:\\jordanssey\SBCSey
PRINTERS: (deployed via GPO)
SYCPRN01_PCL
SYCPRN01_PS
SYCPRN02
SYCPRN03
Backend servers/Network:
SYCSRVCTX01 – TS Access (used mainly for SAP and Vital Doc Access)
Local PC Roaming Profile Path: \\SYDSRVDC001\auprofiles$
Local PC Start Menu Redirection Path: \\SYDSRVDC001\TSMRedirections$
Home Drive for both workstations and citrix: \\HKGSRVFS001\HomePath\AUS\
TS Folder Redirection: \\HKGSRVFS001\HomePath\AUS
TS Profile Redirection: \\HKGSRVFS03\TSProfiles$
Sydney Office connects to HKG Citrix Farm and has 2 dedicated Xenapp Servers (HKGSRVCTX008 and HKGSRVCTX009)
SYDSRVDC001 is setup as EPO SA and Repository servers and getting policies and updates from HKGSRVEPO01. All desktop have been deployed with the Mcafee products
Business Applications:
ReckonAPS – Main CRM, Billing, Timesheet application, Tax lodgement. This is the main business application used by VFR. (Reckon Support is active)
MYOB Products – Accounts Edge, Accounts Right, Accounts Right Plus and Premiere. These are the main accounting software. (MYOB support is active)
Leaseman – Accounting Software
NTAA – Tax Accounting/Property Tax Software (NTAA Support is active)
Simpe Fund – Fund Accounting Software (currently no active support)
ATO Tax Portal (cloud)
O365 Pro Plus
Emails and Signatures:
Vistra Foster Raffan mailboxes are in Vistra O365 tenant.
A GPO has been created to do an autodiscover XML redirection for O365 autodiscover to work within the vistra network.
Signature are generated thru Exclaimer O365 Signature manager than is install in HKGSRVEXCL01 (172.16.220.20). A GPO has been configured to install the Exclaimer Update Agent on all PC's and citrix servers.
MappedDrives:
G: \\HKGSRVFS03\s6super$ (Simple Fund Directory)
I: \\HKGSRVFS03\CommonApps$ (ATO certificates for tax lodgement)
J: \\HKGSRVFS03\INusers$\%username%
K: \\HKGSRVFS03\CommonData$\Common (main client data drive)
This article serves as a documentation on how to properly use and append the Powershell script used to create the monthly Office365 License Report.
The purpose of this script is to get all licensed users from Office365 and create a report categorized by the "office" attribute in AD. Each office will have a list of products based on the licensed users in that specific office. Each license has a corresponding price which is multiplied to the count of users using that product which will be inserted to the MRC field. See reference image:
There are five (5) phases when you run the script:
Declarations and definitions - In this phase, you will specify the overall variable that will be used in the script. This also includes the log objects and the connection strings. Since logs are very important in running automated scripts, I included it on the script so whenever an error was encountered during it's process, the errors can be seen in a text file in a specified folder -
The connection string contains the information used to connect to the MS Online service. It needs to connect to the service so that it can pull out the user and license information:
Credentials - the credentials used in the script to connect to MSOL service is stored in a secured XML file. Use this script to create the XML file - $credential = Get-Credential -Credential "<youradminusername@vistra.com>" | Export-Clixml "<Path/filename.xml>". After creating the XML credential file, it can now be used in the script using Import-Clixml
Connection - the connection string is really straightforward. It will connect to the correct MSOL service based on the credentials provided. The script looks like this:
O365 CSP is thru SoftCat's Partner Innovix Distribution Limited
Current Process:
- Local Business provide Substance Office Packages to Clients which Including Domain Registration, Domain Hosting, Email Hosting, Telephony and PC setup and an actual Substance Office Room
- Vistra IT will register the domain name and create DNS zone with Com Laude
- Vistra IT manages DNS records for Client domain, which include O365 DNS records
- Vistra IT Sets Up the O365 Tenant and Client requested mailboxes and mail groups
- Vistra IT Contacts SoftCat to link O365 Tenant to eCAT (EU tenants) or Innovix Distribution (For Asia)
- Vistra Local Business gets billed for client O365 licenses and Vistra recharges client for the cost
- Vistra IT Handovers the Tenant Admin password to client (however, client assumes that Vistra IT Manages their O365 and sends support request directly to the Engineer who setup their O365 Tenant
"Need assistance to fix credential prompt for 2016 mailboxes on server (Jersrvexc003) & help to assist in allowing 2016 users access public folders which are still located on Exchange 2010".
Resolution:
For Credential prompt issue user mailbox on Exchange 2016 we cleared the "MSexchhomepublicMDB" attribute from Exchange 2016 database.
However as we want our Exchange 2016 user to access the legacy public folder then we need to configure proxy mailbox on Ex2010 for public folder also required the "MSexchhomepublicMDB" attribute to set again.
We followed below steps as mentioned in article to Configure legacy public folders where user mailboxes are on Exchange 2016 servers
Step 1: Make the Exchange 2010 public folders discoverable
If your public folders are on Exchange 2010 or later servers, then you need to install the Client Access Server role on all mailbox servers that have a public folder database.
Create an empty mailbox database on each public folder server.
Create a proxy mailbox within the new mailbox database and hide the mailbox from the address book. The SMTP of this mailbox will be returned by AutoDiscover as the DefaultPublicFolderMailbox SMTP, so that by resolving this SMTP the client can reach the legacy exchange server for public folder access.
Step 2: Configure user mailboxes to access the legacy public folders
Enable the Exchange Server 2013 on-premises users to access the legacy public folders. You will point to all of the proxy public folder mailboxes that you created in Step 1: Make the Exchange 2010 public folders discoverable. Run the following command from an Exchange 2013 server with the CU5 or higher update.
If a new SSL has been generated for auth.vistra.com which is used for ADFS, then a new token signing SSL needs to be generated for Worksite. If the new token signing SSL is not generated then the following will appear in IE when you try to connect:
Login to AMSSRVADFS001 Open AD DS 2.0 Console Expand Service / Certificates Right click on the Token-Siging SSL and click View Certificate Click Details Tab Click Copy to File Next Select Base-64 Encoding X.509 (.CER) Click Next Choose a location to save to Click Next Click Finish
Copy the file to the JERSRVDM001 / AMSSRVDM002 server and replace C:\Support\myfssign.cer
This is the process of logging a ticket if you have a firewall issue or change request.
For standard change requests (anything other than break fix) please log a Zendesk firewall ticket, with as much information as possible. These will be collated every Thursday and processed by Chris and Ken over the following week. This allows us to sanity check the request and discuss with the requester if necessary. If this request needs to be expedited then the requester must get approval from either Wendy or Jacco. Standard change requests cannot be accelerated without approval.
If you have a system down or break fix situation you can contact Chris or Ken directly to assist. If this isn’t possible you are all authorized to log a break fix emergency ticket with CDW directly. You can do this by ringing +44(0)203 069 5520 or +44 203 069 5444 and giving the support desk the details of the request and the urgency. You can also log the ticket by emailing Servicenetsd@uk.cdw.comhowever emergency requests should ideally be logged by telephone if possible. Can you also ensure that you email Chris and Ken to inform us that you have logged the ticket and send us the CDW ticket number.
In the event that you haven’t heard back from CDW in a timely manner or wish to escalate the ticket please email escalations@uk.cdw.com providing as much information as possible i.e.
Incident Reference Number (If Applicable)
When the call was logged
Customer name and full contact details
Nature of the escalation
Criticality of the escalation (number of users impacted)
3. Unzip in the newly created O365ProPlus folder. This will result in a configuration.xml and setup.exe file.
4. Browse to https://officedev.github.io and create your own custom XML. Keep in mind that we should always exclude Access. You can also copy below XML settings:
This will install everything Pro Plus has to offer except Access. It will also automatically remove "Skype for Business (basic) 2016" Make sure you change the server address in above sample if you decide to use it. If this concerns a terminal server environment, please adjust the following from:
Please see the attached design document for the Viewpoint CSP which is setup in Amsterdam. This CSP can be configured to connect to any Viewpoint database around the group as required. To enable this this are specific tasks and firewall rules that need to be put in place.
Servers AMSSRVCSP002 (LAN) - Viewpoint CSP Front Office Server AMSSRVCSPW002 (DMZ) - Viewpoint CSP IIS Web Server
Screening Deployed is mainly used in Compliance departments. The data is saved on XXXSRVSD### servers and the client is either located on Citrix servers or locally on the some of the machines.
Client SETUP
To setup a new pc you need to install the client and create a SQL ODBC
Install MSI from \\jersrvfs001\sources$\ScreeningDeployed5.6_32 and select Client in the wizard
Open DBDescribe.xe from c:\Program Files (x86)\Screening Deployed and ask the senior of the team for the right settings.
-Database name: TMS5 -User: sa (sql instance) -Pass: ask the senior member of the team
Roaming TS Profile Creating (Terminal Server)
Before logging into citrix as the user UNC to \\jersrvfs001\tsprofiles$
Create the user a tsprofile folder in the format username.WORK.V2
Give the user full access to this in the secuirty options of the folder (Important step)
Proceed to login as the user and create the below ODBC connection
ODBC SETUP
Depending on the machine run:
Citrix - (x86) C:\windows\system32\odbcad32
Workstation - (x64) C:\windows\sysWOW64\odbcad32
if connection missing create new user DSN DATA Source > Select SQL Server with the following connection strings: - Name: GSYTMS5 - Description: GSY Screening Deployed - Server: JERSRVSD03\GSYSD - SQL username: gsysdws - Password: password manager
change default database to TMS5
enable use ANSI quoted identifiers and ANS nulls, paddings, and warnings
test the connection in the end.
Create secure connection (if the application is not working)
1. Open C:\program files (x86)\screening deployed -> DBDescribe.exe
2. Fill in all of the settings as below:
DSN: GSYTMS5 (Or the relevant data source name for the jurisdictions SD) DST: SQL Server Schema: dbo Owner ID: sa Owner Password : SA Password for the Screening Deployed SQL DB
testing software
Open Investigator application: ("C:\Program Files (x86)\Screening Deployed\investigator.exe) – 64bit PC ("C:\Program Files\Screening Deployed\investigator.exe) – 32 bit PC
Go to ‘Jump’ > ‘Jumpoint’ & click ‘Re-Deploy’ on the one you need:
Then click ‘Download’ and save it to the server it is to deployed on.
Run the installer on the server, agree to the license, next, next, when you get to the ‘Proxy’ options, choose ‘Jump Zone Proxy Server’ then fill in the name of the server you’re installing on:
Finish the install, go back to nlpam.vistra.com and refresh the Jumpoint page to make sure the Jumpoint is now installed:
Step 2: Login the portal with SVC backup accounts. These are stored in PW manager
Step 3: Click on Help -> Check for updates
Step 4: If an update is found, please follow steps as provided in the setup (as this change each time). Please make sure you’re logged-in to the back-up server itself.
Please would you be so kind as to proceed with the change of tapes and confirm when done?
Tape ID: TAPE 1_05_2018 (OR TAPE 1_FEB_2018)
Awaiting your response
Body Next Tape: (reply to last received communication)
Dear Jacqueline,
Please would you be so kind as to proceed with the change of tapes and confirm when done?
Tape ID: TAPE 2_05_2018 (OR TAPE 2_FEB_2018)
Awaiting your response
Body Backup Finished: (reply to last received communication)
Dear Jacqueline,
Hereby informing you that the EOW (OR EOM) backup has finished successfully.
Hoping to have informed you sufficiently.
When to change tapes?
We all receive notifications coming from svcbackup@vistra.com for each office where backups are running. By checking these notifications you will know if a change of tapes is required.
When you delete a mailbox, Exchange Online retains the mailbox and all its contents until the deleted mailbox retention period expires, which is 30 days. After 30 days, the mailbox is permanently deleted and can't be recovered. The method for restoring a mailbox depends on whether the mailbox was deleted by deleting the Office 365 user account or removing the Exchange Online license.
For user mailboxes in a hybrid scenario, if the mailbox has been soft-deleted and the Azure active directory user that was associated with the mailbox has been hard-deleted from Azure Active Directory, you can use New-MailboxRestoreRequest to recover the mailbox.
Please see attached user guides for guidance on installing VPM18 on a Citrix Server, VPM certificate issue resolution, VPM 18 Certificate requirements and Adding/Removing Users to VPM 18
In order to enable Autodiscover so you can set up Office365 for external accounts, start Powershell as admin(important: perform this under the user's account!)
2) Click to expand "Settings" then Click "Admin Settings":
3) Click "StorageZones"
4) Click the internal Vistra storage zone "CHEVAULT01":
5) Click "Recover Files":
6) Specify the date you would like to go back to: 7) Tick the box on the whole folder if you want to recover the full folder and Click "Recover":
8) If its just a single file you want to recover then browse into the folder and tick the box next to the file you want to recover and Click "Recover":
There is an initiative being streamlined for the process of on boarding a global client from a compliance perspective. It is an initiative lead by Global Key Account Management, a way that Vistra services a ring-fenced group of priority global clients - ensuring they are supported by the highest level of service through all aspects of their relationship with Vistra. As part of the Global Key Account Management Program, we’ve developed a “Vistra Passport” – a one-time on boarding process for all our Global Key Accounts. With the Vistra Passport, our Global Key Account clients can do business with Vistra anywhere in the world without necessarily have to repeat the same document collection process each time they enter a new jurisdiction.
This initiative is intended to improve the client experience for major clients that are serviced by multiple offices across the Group. IT Support has a key part to play in this and we want to ensure that everyone is fully engaged with the initiative and know what to expect.
To support this initiative, all KYC information will be stored in one central place (Sharefile) with an official due diligence memo on the client on the level of due diligence already completed. The client folders will be shared with compliance team members from different department/division on an as-needed basis. The sharing access will be controlled by Group Compliance (Isabella McLoughlin) but IT Support will provide the access to the specific folder in the first instance.
Global Key Account Manager (GKAM) will raise a case with itsupport@vistra.com like shown below, but going forward they will attach to the ticket a completed "Vistra Sharefile New User Form" if they require a new user to be setup otherwise just a "GKAM Sharefile Approval Form" to state which folder access is required to be granted.
2a) Skip to step 24 if user already exists in Sharefile and just folder permissions access is required. 2b) Download the spreadsheet Vistra Sharefile New User Form attached on the ticket.
8) Click on "Need to import multiple users with Excel?":
9) Click on "Choose File":
10) Browse to the Vistra Sharefile New User Form in your downloads that you downloaded from the ticket, Double click on the file:
11) You will see the file has been uploaded, Click on "Import Users":
12) The User information will then auto insert in the mandatory fields:
13) Scroll down to Step 2 and Click on "Expand All":
**IMPORTANT STEP**
14) You are now adjusting the users general access, ensure that you amend the user access (as shown below) so they only have the below 2 options enabled:
15) Change the Storage Zone from "Public Cloud" to "Private Cloud" (as shown below):
**Folder Permissions** 16) Download the "GKAM Sharefile Approval Form" attached on the service request ticket to find out which folder they would like the user to have access to within the "Global Key Account Management - Vistra Passport" folder. For example:
17) Click "Assign Folders":
18) Expand "Shared Folders":
19) Locate the folder stated within the Access Form, tick the folder and Click "Next: Set Permissions":
20) Click "Create & Continue":
21) Click on "Continue Anyway":
22) Copy the below Notify message into the message box and Click on "Notify":
Dear User,
You have now been setup in Vistra Sharefile.
Please activate your account by clicking the below.
Password: IF YOU SPECIFY A PASSWORD IN STEP 12
Kind Regards, IT Support
23) The user will then receive the below email asking them to activate their account:
24) Browse to the folder upon logging in via "Shared Folders":
25) Once your on the folder tick the folder you want to adjust the permissions on, Click "More" then Click "Add People to Folder":
26) Search for the users name in the address book and Click "Add":
27) The user will then receive an email similar to the below example:
28) Reply back on the service request informing the user that all has been done:
**EXTRA**
If Group Compliance or whoever that submits the service requestwants to know if the user has activated there account yet simply browse to the below area and you will see from there if the user has logged in yet:
See below diagram for the current email routing for Vistra. Please find attached a PDF version and the Visio diagram that can be updated when required.
This document will assist you in the event that a Shared Mailbox is created in cloud (Office365) and needs an on-prem presence to perform tasks such as adding to an AD distribution Group
The process for resolving this is as follows:
·On Exchange 2016 (cumulative update 10 or later versions) run the following command in Powershell:
Synchronise the Account with O365 – This may involve moving the account to an OU that syncs and then waiting for it to happen
If you then add this to Distribution Groups it can take up to an hour from it synchronising to O365 to it appearing in the Distribution Group
Powershell Script to Automate process
Attached is a powershell script and a csv to use if you wish to perform this for multiple mailboxes. For this to run the CSV must be saved in "C:\Powershell\"
The column names are as follows:
name: Display Name
upn: User Principal Name
email: The email address
alias: Mail Alias
O365 / Azure Guest User Invite Fails at Verification
If when you have setup an external person as a Guest User on our O365 / Azure so that they can collaborate with staff in apps such as MS Teams and they are getting the following error when they try to verify their invite, see the below information from Microsoft (From MS Support ticket 119010324000672 regarding the radiusww.com domain)
Hello Jon,
Thank you so much for confirming with Joe. I am happy to hear that the affected users now have their needed access.
Regarding the radiusww.com tenant question - There are a few different things that could have caused this issue and I would have tried a few troubleshooting steps with the admin in order to determine what it could have been. Since then, someone with the needed access to the tenant has made some changes which has rectified the issue, but because this was done without any involvement on our side, I can't definitively determine what the fix was. What I can tell you is one of the more common reasons I have seen, which causes the exact issue the users experienced, has to do with the partner authentication piece.
Collaborate with any partner using their identities
With Azure AD B2B, the partner uses their own identity management solution, so there is no external administrative overhead for your organization.
The partner uses their own identities and credentials; Azure AD is not required.
You don't need to manage external accounts or passwords.
You don't need to sync accounts or manage account lifecycles.
Sincerely,
Scope - We will consider this case resolved when we are able to provide customer with information as to why the specified users are unable to accept the B2B invite.
Per the scoping agreement for the case, it sounds as though the issue is resolved. Please advise if you would like me to archive the case at this time or if you require further assistance within the scope of this case.
The issue was likely one that had to do with the radiusww.com identity management solution for the 2 affected users, but because I never discussed this with an admin to troubleshoot, I cannot confirm definitively. What I do know is that someone made the needed changes to allow the guest invites to authenticate once the users accepted them. I hope you find this information helpful.
Eric Larson Support Engineer v-erlars@microsoft.com Cloud Identity POD Support Customer Services and Support
O365 - Hybrid Free / Busy Information Troubleshooting
As part of the O365 Hybrid setup, on-premise mailboxes are now able to see online mailboxes Free / Busy calendar information and vice-versa.
If this is not working then please check the following (When testing it is best to use Webmail as that will take the changes immediately. The Outlook client can wait for the OAB to update which occurs once a day):
On-Premise Mailbox User cant see Free Busy Information for O365 Mailbox - Open the Mail User object in on-premise exchange for the O365 Mailbox - Confirm that the External Email Address isn't currently set to x.x@ofiz.mail.onmicrosoft.com - Add x.x@ofiz.mail.onmicrosoft.com as an additional Secondary SMTP address on the Mail User (If this isn't there already) - Perform an O365 AD Sync - Check that the Online Mailbox has picked up the x.x@ofiz.mail.onmicrosoft.com address as a secondary SMTP - On the on-premise exchange Mail User object for the Online Mailbox click on the x.x@ofiz.mail.onmicrosoft.com address and click 'Set as External' as below (The Reply address should remain as x.x@vistra.com: - Perform an O365 AD Sync - Free / Busy Calendar information should now be visible for On-Premise Mailbox users to see - When this change is made to change the 'External Email Address', please note that email from on-premise exchange will now use the Hybrid Send Connector which sends to O365 via Hong Kong Exchange:
Online Mailbox (O365) User cant see Free Busy Information for On-Premise Mailbox - Check that the on-premise email server has been rebooted since 24/11/18 (Hybrid Configuration Date), if not run an IISReset on the server (Out of Hours). - Open the Mailbox object in on-premise exchange - Add x.x@ofiz.mail.onmicrosoft.com as an additional Secondary SMTP address on the mailbox (If this isn't there already) - Perform an O365 AD Sync - Free / Busy Calendar information should now be visible for Online Mailbox (O365) users to see
Connect to BVISRVOVH001 or BVISRVOVH002 and browse to ControllerA: 10.23.1.10 (user/pw in pw manager) ControllerB: 10.23.1.20 (user/pw in pw manager)
Go to volumes -> action -> create virtual volumes
3. Specify volume name and set the sizes, click ok
4. Go to mapping -> action -> map
5. Select All Initiators and mark the volume you created and click map. Make sure you select all ports and click OK.
6. Go back to the OVH and open MPIO -> Discover Multi-paths -> and click add
7. A reboot is required, there is no need to reboot, click no.
8. The disk is now added in disk management
9. Configure the disk as cluster shared volume. Right click on the volume -> online -> initialize disk -> click OK -> New simple volume -> Next -> Next -> Do not assign a drive letter or drive path -> Give the preferred name
10. Add disk as cluster shared volume. Open Failover cluster manager -> Add disk -> (You will see the disk) -> Ok -> Rename the disk -> Right click - add to cluster shared volume -> Rename the volume on C:\ClusterStorage.
Please use this guide for new starters that will join a non-integrated office.
For example they have their own IT dep to provide windows account on their local hardware. In this case they will only need an O365 account to be able to email as Vistra.
1. Arrange the appropriate starter forms and put it to a shared location (from example on the ITsupport share, starters/leavers)
2. Create user in AD (make sure you use the correct naming conversion)
3. Fill in all user details (compare with other similar users and functions) + add email address etc
4. Add the security groups needed, for example:
Email - All Staff Vistra DXB MGW - O365
5. Wait for O365 to synchronize the account
6. Create mail user in Exchange 2010 (select existing user)
7. Create the mailbox on O365 portal for this new starter + assign licenses
8. Setup Outlook etc on the users PC
9. Reset password and provide to HR person that requested the new starter
10. Refer to attached (ChangePassword - O365.pdf) document and sent to HR person, so they can reset their Vistra password
To Enable the O365 Windows 10 Password Reset from Login screen the following Pre-requisites need to be met:
- The Users PC needs to be Windows 10 version 1803 or higher - The User needs to have an Azure Active Directory Premium P1 license assigned (Automatic if they have an O365 Exchange Online Mailbox via dynamic license group) - The User needs to have enrolled an MFA method (https://aka.ms/MFASetup) - The User needs to be added to the following Azure AD group: Security – AD Azure - Global - Self Service Password Reset - In Cloud - Members - The PC needs to have the following Group Policy Applied to it:
When the above conditions are met, the staff member will then get the option to 'Reset Password' from the login screen:
Select the Reset password link to open up the Self Service Password Reset experience at the sign-in screen
Confirm your email address and select Next. Select and confirm a contact method for verification
On the Create a new password page, enter a new password, confirm your password, and then select Next.
When you see the message Your password has been reset, select Finish.
O365 - How to Migrate a Mailbox from On-Premise to Exchange Online
- Download the below regkey - Close all office programs - Double click on the reg key so it inserts on the users profile - Re launch Office and you will no longer get the above hung password prompt box
This guide provides information on the Standard Vistra O365 deployment.
This comprises of three key areas:
Installation Package
Configuration.xml
Deployment Script
This guide does not include information of third party apps such as worksite deployment and Outlook add-ins which you may need to build in to your deployments.
Installation Package
We have created a standard customized package and config file which is located on Sharefile
Save this into your local application delpyment share such as sources$ directory:(Example: \\jersrvfs001\sources$\O365ProPlus)
Note: Please refer to the READ ME file for the current build and version info
Overview of Configuration.xml
The below xml specifies the source location of the installation files, this UNC path needs to be updated per site\region. It also dictates which applications are installed as part of the installation.
Note: The below Vistra standard XML file includes Visio & MS Project
Please see below items that should be considered for a rebrand of an acquisition. All acquisitions vary so this is a general guide of items to consider.
Domains Com Laude Get a list of all of the acquired companies domains. Work with James Nunn (james.nunn@comlaude.com) from Com Laude to move these across to our control.
Email Address Export and Mapping to @vistra.com Export all email addressed from the acquired companies email environment
If exchange then you can use the following powershell: Get-Recipient -Resultsize unlimited | Select Name, RecipientType, PrimarySmtpAddress, ExternalEmailAddress, @{L="EmailAddresses";E={$_.EmailAddresses | ? {$_.PrefixString -ceq "smtp"} | % {$_.SmtpAddress}}}, OrganizationalUnit | Export-csv c:\Exports\AllEmailAddress03-12-18.csv
Mimecast - Route Acquired Domain Inbound via Mimecast Create wildcard Delivery Route for acquired companies domain to route at their current Email environment Add Domain as Internal on Mimecast (Requires TXT Record to be created) Validate domains as internal and accept all addresses / no anti-spoofing policies Create a Greylisting Policy Exclusion Add all email addresses to a Mimecast Profile Group Setup Content Examination Rule to hold all email coming in and apply to the Profile Group Change MX records to (Both with priority of 10 to enable round robin):
Mimecast - Route Acquired Domain Outbound via Mimecast Identify the EGRESS IP for the acquired companies mail service (Not required if they are on O365) Email Mimecast Support (support@mimecast.com) to request for the EGRESS IP to be added as an authorised outbound IP address. You will need to confirm with them that this is a dedicated IP and that is it not shared with any other companies. If shared with another company then it needs to go onto Mimecast's Shared Services platform.
Determine Email Ingestion Method Skykick (Perspicuity) - O365 Ingestion from another O365 Tenant Simply Migrate (Jon / Miguel / Ambrus) - O365 Ingestion from PST's Exchange Import - On-Premise Mailbox
Mimecast - Rebrand to @vistra.com If the mailboxes will be in O365, create Mail Users on-premise for all of the new staff Create an AD group for email routing and add all of the Mail Users created in the last step(i.e Email - All Staff Vistra DUB MGW - O365) Setup Azure AD Sync if created a new OU (https://itsupport.vistra.com/hc/en-gb/articles/115005205385-Group-O365-Synced-OU-s-in-work-local-how-to-add-an-additional-OU) Create Delivery Route for the AD Group above to route to the relevant Exchange environment
Pre-seed mailboxes If an O365 tenant migration then AD connect needs to be disabled 72 hours prior to migration to release the domain. At this point the mailboxes will be in-cloud mailboxes. If an O365 tenant migration then the O365 Groups need to be deleted prior to the migration to release the domain. Enable Mimecast Delivery Route Pause (Scheduled) Enable Mimecast Content Examination Hold Initiate last sync of mailboxes Add the acquired companies email addresses to the Mail Users Run an Directory Sync on Mimecast to check that the acquired companies email address are alias mapping to the new @vistra.com addresses If an O365 tenant migration then remove domains from old tenant Change Delivery Route on Mimecast for the acquired companies domain to the new destination Change Delivery Route on Mimecast for the AD Group with Mail Users in to the new destination Send Test Emails in to each address from Gmail Release test emails from Hold Queue Recalculate Delivery Route for the test emails from the Delivery Queue Un-Pause delivery Route Check O365 / On-premise Mail Trace to see that the emails have delivered to the mailboxes Pause Delivery Route Release all remaining Emails from hold queue Recalculate Delivery Route for emails from the Delivery Queue Un-Pause delivery Route Allow free flow by disabling the Content Examination Rule Check email flow from / to O365 mailbox on the client side
Outlook Agent to switch Profile Please refer to attached guides:
-Deploying the Outlook Assistant via Group Policy This tool will only be used in case of a migration via Perspicuity.
-Configuring the Outlook profile manually "ConfigreOutlook - O365" This guide can be used in case some of the agents did not worked.
Exclaimer The O365 will need to be setup via the our on-prem O365 Exclaimer tool. This need to be done via hkgsrvdc05 -> 172.16.220.20 (DMZ server) Create a new policy, please make sure you do not create duplicates.
Once created, deploy the Exclaimer agents to the workstations. Please use this link
O365 Mailbox MFA Method Enrolment
Advise the staff to enrol for MFA by carrying out these steps: Launch URL https://aka.ms/MFASetup Login using your work email and password Complete the security verification form
Open the MSO_Check.ps1 file and amend the paths to the one you created above and also the new file names for the MSI files:
Grant Domain Computers modify access to \\PATHABOVE\Mimecast\Logs to allow computers to write back a log file.
Create a GPO to run the batch file at startup:
Staff also need to be part of this group ‘Security - Global Mimecast MSO users’ either individually or as part of the office Security Group. Being part of this group enables the application profile which allows the Mimecast Toolbar to connect.
Enter your @vistra.com email address and the Catpcha code and click next: Select one of their MFA methods that they setup earlier and verify: Enter a new password and confirm this: You should then get confirmation that your password has been reset: You will also receive an email to confirm your password reset:
1. Check if the Vm is part of the Hyer Visor(s). 2. Update the Hyper Visor(s) and RPS with this account svczrhbackup 3. Add account to the following groups on the Hyper Visor: 3.1 Local admin 3.2 Backup Operators 4. Add account to the following Local Security Policies: 4.1 Act as an Operating System 4.2 Allow log on locally 4.3 Log on as a batch 4.4 Log on as a service 5. UAC disabled both on the RPS server and Hyper Visor(s). 6. Enable LUA from the registry, set it to '0' Then reboot the server.
See attached guide on how to allocate / re-allocate Citrix licenses.
If a Citrix License server has run out of licenses you can restart the Citrix License service which will give you 5 minutes to get staff logged in whilst it re-counts. You can repeat this process until you have all of the staff logged in. This will then allow you the time to generate the new license file and apply it to the server.
Q1 2018 - Quarterly Task T9 - Check AutoLoader and Tape Drives for new Firmware
The member of staff completing this will need access to the ECAT Softcat Portal (List below as of September 2018). If you have any issues with accessing and you are authorized please contact Jack Scargill -JackSc@softcat.com (Account Manager). There is also a reset password option available on the portal.
Below is an overview of the ‘Major IT Incident Report’ report process.
We have now moved the ‘Major Incident Reporting’ to the O365 Team ‘IT Operations Management Team’ ( click here to access).
The purpose of this report is to document ‘Major IT incidents’. A ‘Major IT Incident’ is defined as a business-critical IT service being unavailable for over one hour during business hours. Once completed a copy of this report needs to be provided to the local office MD, Group Managing Director of Asia, Europe or the US and the CIO. Copies of all reports are also held centrally by Vistra Group IT (Within a Zendesk ticket and also in the reports folder under the team.
We have provided templates for both the report and the incident advisory email.
Note: Archived incident report location: \\work.local\itsupport\Global\Incident Reports - OLD - Now on Teams - IT OPERATIONS MANAGEMENT TEAM
How to Backup Bank Clarity Live & Restore onto BankClarity_LiveSupport
1) RDP to JERSRVBC001 & Open "SQL Server Management Studio":
2) Connect to the below Live Instance & run this job:
3) Stop the "BankClarity_LiveSupport" IIS App Pool
4) Connect to the below Test Instance & run this job:
5) Start the "BankClarity_LiveSupport" IIS App Pool:
Advise Melissa Maakestad once this restore has been complete so BankClarity can then connect in and check the BankClarity_LiveSupport to investigate whichever issue there looking into.
We had a case today where there were two email contacts with external email addresses added to a distribution group and Mimecast was bouncing them due to it being an External Sender to External Recipient which is blocked by default as a relay attempt. This is due to the change in Outbound routing direct to Mimecast from Exchange as previously we were only routing emails from @vistra.com out to Mimecast on the Mailmarshal servers and these emails to external distribution group members would have gone directly out from Mailmarshal.
External Sender -> Mimecast -> On-Prem Exchange Distribution Group -> Mimecast (Now to external recipient in distribution group)
If your teams identify any external recipients of distribution groups then they can be added to the following Profile Group on Mimecast which will permit the traffic:
This is restricted down so that the emails have to have gone through our email servers and can just be relayed directly from and external party to one of those external recipients:
Screening Deployed is mainly used in Compliance departments. The data is saved on XXXSRVSD### servers and the client is either located on Citrix servers or locally on the some of the machines.
Client SETUP
To setup a new pc you need to install the client and create a SQL ODBC
Install MSI from \\jersrvfs001\sources$\ScreeningDeployed5.6_32 and select Client in the wizard
Open DBDescribe.xe from c:\Program Files (x86)\Screening Deployed and ask the senior of the team for the right settings.
-Database name: TMS5 -User: sa (sql instance) -Pass: ask the senior member of the team
ODBC SETUP
Depending on the machine run:
(x86) C:\windows\system32\odbcad32
(x64) C:\windows\sysWOW64\odbcad32
if connection missing create new user DSN DATA Source > Select SQL Server with the following connection strings: - Name: JERTMS5 - Description: Jersey Screening Deployed - Server: JERSRVSD01\JERSD - SQL username: jersdws - Password: password manager
change default database to TMS5
enable use ANSI quoted identifiers and ANS nulls, paddings, and warnings
test the connection in the end.
Create secure connection (if the application is not working)
1. Open C:\program files (x86)\screening deployed -> DBDescribe.exe
2. Fill in all of the settings as below:
DSN: JERTMS5 (Or the relevant data source name for the jurisdictions SD) DST: SQL Server Schema: dbo Owner ID: sa Owner Password : SA Password for the Screening Deployed SQL DB
testing software
Open Investigator application: ("C:\Program Files (x86)\Screening Deployed\investigator.exe) – 64bit PC ("C:\Program Files\Screening Deployed\investigator.exe) – 32 bit PC
Old Infrastructure (still connected to jordans.local) is still active and will remain active for the next week incase there is a need for roll back or any form of restoration.
We have commissioned a local domain controller in the office which is hosted on this VM host.
IP details
SYCSRVDC001 – 10.119.10.110
Seychelles AD Site
User Environment:
Local PC Roaming Profile Path: \\SYCSRVDC001\sycprofiles$
Local PC Start Menu Redirection Path: \\Jordanssey\TSMRedirections$
Home Drive for both workstations and citrix: \\jordanssey\sycusers$
Seychelles Office has been setup with a local citrix farm (SYCFARM01) which has 1 Xenapp Server; SYCSRVCTX01
SYCSRVDC001 is setup as EPO SA and Repository servers and getting policies and updates from AMSSRVEPO001. All desktop have been deployed with the Mcafee products
Business Applications:
Navision – Main CRM, Billing. This is the main business application used by Seychelles. (K3 Support is active)
O365 Pro Plus
Emails and Signatures:
Vistra Seychelles mailboxes are in Vistra O365 tenant.
A GPO has been created to do an autodiscover XML redirection for O365 autodiscover to work within the vistra network.
Signature are generated thru Exclaimer O365 Signature manager than is install in HKGSRVEXCL01 (172.16.220.20). A GPO has been configured to install the Exclaimer Update Agent on all PC's and citrix servers.
MappedDrives:
I:\\JordansSEY\Jordans
W:\\jordanssey\workshare
Y:\\jordanssey\Sertussey
Z:\\jordanssey\SBCSey
PRINTERS: (deployed via GPO)
SYCPRN01_PCL
SYCPRN01_PS
SYCPRN02
SYCPRN03
Backend servers/Network:
SYCSRVCTX01 – TS Access (used mainly for SAP and Vital Doc Access)
Local PC Roaming Profile Path: \\SYDSRVDC001\auprofiles$
Local PC Start Menu Redirection Path: \\SYDSRVDC001\TSMRedirections$
Home Drive for both workstations and citrix: \\HKGSRVFS001\HomePath\AUS\
TS Folder Redirection: \\HKGSRVFS001\HomePath\AUS
TS Profile Redirection: \\HKGSRVFS03\TSProfiles$
Sydney Office connects to HKG Citrix Farm and has 2 dedicated Xenapp Servers (HKGSRVCTX008 and HKGSRVCTX009)
SYDSRVDC001 is setup as EPO SA and Repository servers and getting policies and updates from HKGSRVEPO01. All desktop have been deployed with the Mcafee products
Business Applications:
ReckonAPS – Main CRM, Billing, Timesheet application, Tax lodgement. This is the main business application used by VFR. (Reckon Support is active)
MYOB Products – Accounts Edge, Accounts Right, Accounts Right Plus and Premiere. These are the main accounting software. (MYOB support is active)
Leaseman – Accounting Software
NTAA – Tax Accounting/Property Tax Software (NTAA Support is active)
Simpe Fund – Fund Accounting Software (currently no active support)
ATO Tax Portal (cloud)
O365 Pro Plus
Emails and Signatures:
Vistra Foster Raffan mailboxes are in Vistra O365 tenant.
A GPO has been created to do an autodiscover XML redirection for O365 autodiscover to work within the vistra network.
Signature are generated thru Exclaimer O365 Signature manager than is install in HKGSRVEXCL01 (172.16.220.20). A GPO has been configured to install the Exclaimer Update Agent on all PC's and citrix servers.
MappedDrives:
G: \\HKGSRVFS03\s6super$ (Simple Fund Directory)
I: \\HKGSRVFS03\CommonApps$ (ATO certificates for tax lodgement)
J: \\HKGSRVFS03\INusers$\%username%
K: \\HKGSRVFS03\CommonData$\Common (main client data drive)
This article serves as a documentation on how to properly use and append the Powershell script used to create the monthly Office365 License Report.
The purpose of this script is to get all licensed users from Office365 and create a report categorized by the "office" attribute in AD. Each office will have a list of products based on the licensed users in that specific office. Each license has a corresponding price which is multiplied to the count of users using that product which will be inserted to the MRC field. See reference image:
There are five (5) phases when you run the script:
Declarations and definitions - In this phase, you will specify the overall variable that will be used in the script. This also includes the log objects and the connection strings. Since logs are very important in running automated scripts, I included it on the script so whenever an error was encountered during it's process, the errors can be seen in a text file in a specified folder -
The connection string contains the information used to connect to the MS Online service. It needs to connect to the service so that it can pull out the user and license information:
Credentials - the credentials used in the script to connect to MSOL service is stored in a secured XML file. Use this script to create the XML file - $credential = Get-Credential -Credential "<youradminusername@vistra.com>" | Export-Clixml "<Path/filename.xml>". After creating the XML credential file, it can now be used in the script using Import-Clixml
Connection - the connection string is really straightforward. It will connect to the correct MSOL service based on the credentials provided. The script looks like this:
O365 CSP is thru SoftCat's Partner Innovix Distribution Limited
Current Process:
- Local Business provide Substance Office Packages to Clients which Including Domain Registration, Domain Hosting, Email Hosting, Telephony and PC setup and an actual Substance Office Room
- Vistra IT will register the domain name and create DNS zone with Com Laude
- Vistra IT manages DNS records for Client domain, which include O365 DNS records
- Vistra IT Sets Up the O365 Tenant and Client requested mailboxes and mail groups
- Vistra IT Contacts SoftCat to link O365 Tenant to eCAT (EU tenants) or Innovix Distribution (For Asia)
- Vistra Local Business gets billed for client O365 licenses and Vistra recharges client for the cost
- Vistra IT Handovers the Tenant Admin password to client (however, client assumes that Vistra IT Manages their O365 and sends support request directly to the Engineer who setup their O365 Tenant
"Need assistance to fix credential prompt for 2016 mailboxes on server (Jersrvexc003) & help to assist in allowing 2016 users access public folders which are still located on Exchange 2010".
Resolution:
For Credential prompt issue user mailbox on Exchange 2016 we cleared the "MSexchhomepublicMDB" attribute from Exchange 2016 database.
However as we want our Exchange 2016 user to access the legacy public folder then we need to configure proxy mailbox on Ex2010 for public folder also required the "MSexchhomepublicMDB" attribute to set again.
We followed below steps as mentioned in article to Configure legacy public folders where user mailboxes are on Exchange 2016 servers
Step 1: Make the Exchange 2010 public folders discoverable
If your public folders are on Exchange 2010 or later servers, then you need to install the Client Access Server role on all mailbox servers that have a public folder database.
Create an empty mailbox database on each public folder server.
Create a proxy mailbox within the new mailbox database and hide the mailbox from the address book. The SMTP of this mailbox will be returned by AutoDiscover as the DefaultPublicFolderMailbox SMTP, so that by resolving this SMTP the client can reach the legacy exchange server for public folder access.
Step 2: Configure user mailboxes to access the legacy public folders
Enable the Exchange Server 2013 on-premises users to access the legacy public folders. You will point to all of the proxy public folder mailboxes that you created in Step 1: Make the Exchange 2010 public folders discoverable. Run the following command from an Exchange 2013 server with the CU5 or higher update.
If a new SSL has been generated for auth.vistra.com which is used for ADFS, then a new token signing SSL needs to be generated for Worksite. If the new token signing SSL is not generated then the following will appear in IE when you try to connect:
Login to AMSSRVADFS001 Open AD DS 2.0 Console Expand Service / Certificates Right click on the Token-Siging SSL and click View Certificate Click Details Tab Click Copy to File Next Select Base-64 Encoding X.509 (.CER) Click Next Choose a location to save to Click Next Click Finish
Copy the file to the JERSRVDM001 / AMSSRVDM002 server and replace C:\Support\myfssign.cer
This is the process of logging a ticket if you have a firewall issue or change request.
For standard change requests (anything other than break fix) please log a Zendesk firewall ticket, with as much information as possible. These will be collated every Thursday and processed by Chris and Ken over the following week. This allows us to sanity check the request and discuss with the requester if necessary. If this request needs to be expedited then the requester must get approval from either Wendy or Jacco. Standard change requests cannot be accelerated without approval.
If you have a system down or break fix situation you can contact Chris or Ken directly to assist. If this isn’t possible you are all authorized to log a break fix emergency ticket with CDW directly. You can do this by ringing +44(0)203 069 5520 or +44 203 069 5444 and giving the support desk the details of the request and the urgency. You can also log the ticket by emailing Servicenetsd@uk.cdw.comhowever emergency requests should ideally be logged by telephone if possible. Can you also ensure that you email Chris and Ken to inform us that you have logged the ticket and send us the CDW ticket number.
In the event that you haven’t heard back from CDW in a timely manner or wish to escalate the ticket please email escalations@uk.cdw.com providing as much information as possible i.e.
Incident Reference Number (If Applicable)
When the call was logged
Customer name and full contact details
Nature of the escalation
Criticality of the escalation (number of users impacted)
3. Unzip in the newly created O365ProPlus folder. This will result in a configuration.xml and setup.exe file.
4. Browse to https://officedev.github.io and create your own custom XML. Keep in mind that we should always exclude Access. You can also copy below XML settings:
This will install everything Pro Plus has to offer except Access. It will also automatically remove "Skype for Business (basic) 2016" Make sure you change the server address in above sample if you decide to use it. If this concerns a terminal server environment, please adjust the following from:
Please see the attached design document for the Viewpoint CSP which is setup in Amsterdam. This CSP can be configured to connect to any Viewpoint database around the group as required. To enable this this are specific tasks and firewall rules that need to be put in place.
Servers AMSSRVCSP002 (LAN) - Viewpoint CSP Front Office Server AMSSRVCSPW002 (DMZ) - Viewpoint CSP IIS Web Server
Screening Deployed is mainly used in Compliance departments. The data is saved on XXXSRVSD### servers and the client is either located on Citrix servers or locally on the some of the machines.
Client SETUP
To setup a new pc you need to install the client and create a SQL ODBC
Install MSI from \\jersrvfs001\sources$\ScreeningDeployed5.6_32 and select Client in the wizard
Open DBDescribe.xe from c:\Program Files (x86)\Screening Deployed and ask the senior of the team for the right settings.
-Database name: TMS5 -User: sa (sql instance) -Pass: ask the senior member of the team
Roaming TS Profile Creating (Terminal Server)
Before logging into citrix as the user UNC to \\jersrvfs001\tsprofiles$
Create the user a tsprofile folder in the format username.WORK.V2
Give the user full access to this in the secuirty options of the folder (Important step)
Proceed to login as the user and create the below ODBC connection
ODBC SETUP
Depending on the machine run:
Citrix - (x86) C:\windows\system32\odbcad32
Workstation - (x64) C:\windows\sysWOW64\odbcad32
if connection missing create new user DSN DATA Source > Select SQL Server with the following connection strings: - Name: GSYTMS5 - Description: GSY Screening Deployed - Server: JERSRVSD03\GSYSD - SQL username: gsysdws - Password: password manager
change default database to TMS5
enable use ANSI quoted identifiers and ANS nulls, paddings, and warnings
test the connection in the end.
Create secure connection (if the application is not working)
1. Open C:\program files (x86)\screening deployed -> DBDescribe.exe
2. Fill in all of the settings as below:
DSN: GSYTMS5 (Or the relevant data source name for the jurisdictions SD) DST: SQL Server Schema: dbo Owner ID: sa Owner Password : SA Password for the Screening Deployed SQL DB
testing software
Open Investigator application: ("C:\Program Files (x86)\Screening Deployed\investigator.exe) – 64bit PC ("C:\Program Files\Screening Deployed\investigator.exe) – 32 bit PC
Go to ‘Jump’ > ‘Jumpoint’ & click ‘Re-Deploy’ on the one you need:
Then click ‘Download’ and save it to the server it is to deployed on.
Run the installer on the server, agree to the license, next, next, when you get to the ‘Proxy’ options, choose ‘Jump Zone Proxy Server’ then fill in the name of the server you’re installing on:
Finish the install, go back to nlpam.vistra.com and refresh the Jumpoint page to make sure the Jumpoint is now installed:
Step 2: Login the portal with SVC backup accounts. These are stored in PW manager
Step 3: Click on Help -> Check for updates
Step 4: If an update is found, please follow steps as provided in the setup (as this change each time). Please make sure you’re logged-in to the back-up server itself.
Please would you be so kind as to proceed with the change of tapes and confirm when done?
Tape ID: TAPE 1_05_2018 (OR TAPE 1_FEB_2018)
Awaiting your response
Body Next Tape: (reply to last received communication)
Dear Jacqueline,
Please would you be so kind as to proceed with the change of tapes and confirm when done?
Tape ID: TAPE 2_05_2018 (OR TAPE 2_FEB_2018)
Awaiting your response
Body Backup Finished: (reply to last received communication)
Dear Jacqueline,
Hereby informing you that the EOW (OR EOM) backup has finished successfully.
Hoping to have informed you sufficiently.
When to change tapes?
We all receive notifications coming from svcbackup@vistra.com for each office where backups are running. By checking these notifications you will know if a change of tapes is required.
This guide can be used for the signatures within outlook and O365.
Info:
There is an GPO created that is applied to all workstation in Cyprus. Logs will be saved to \\cypsrvdc001\log$\exclaimer.
Troubleshoot:
1. Rename the PC number that is in the \\cypsrvdc002\log$\exclaimer folder + restart the machine (this will run the exlaimer application installer again)
2. Check on the following location and install the exlaimer manually (\\cypsrvdc002\support$\Exclaimer\osua.msi) . Once installed go to start -> all programs -> exlaimer and run the application. Open Outlook and check if the signature is there.
1 - Switch on device and choose the following options:
Language - English
Region: (Appropriate to location) Netherlands
Keyboard: United States International
2 - Connect to wifi
Choose VGAccess, log in with LetMeOut
3 - Install updates.
4- Setting user options
When prompted, choose 'Setup for personal Use', at sign in, choose 'offline account' - this option is in the bottom-left corner of the screen and the text is intentionally pale and difficult to see.
Set username to 'User', and set a temporary password.
Skip the facial recognition/face sign-in.
Turn off Cortana
Turn off Speech recognition
Turn off Diagnostics & Tailored experience
Turn off Ads
Leave location services ON.
5. Perform Windows updates (again)
6. Configure IT Admin account
Go to Start>Run, type 'MMC' then hit CTRL+M and choose the 'Local Users & Groups' snap-in, click add, finish, OK.
Choose 'Users', then right-click and choose 'New User'.
Fill in as follows:
NOTE:You will need to create a randomly generated strong password for the VGITAdmin account. Generate this using the password manager or other tool, then make a note of it to store later along with the serial number, laptop name & encryption key.
Now right-click on the User account created earlier and set the password to change at next login.
Within the Go to 'Groups', then 'Administrator'. Add the account VGITAdmin to the administrators group. Then disable the default Administrator account.
7. Adding Bluetooth Mouse
Right-click on Bluetooth icon in the system tray, and choose 'Add a Bluetooth Device'
In the next window, choose the 'Add bluetooth or other device'
Remove the battery tab from the mouse (if applicable) click the sync button on the mouse.
On the laptop Select 'Bluetooth' and then choose the mouse from the list of detected devices.
8 - Tidy start menu
Unpin all games, news & media pins from the start menu (right-click, unpin)
9 - Rename device
Rename the device using the following naming convention:
[Office code]LAP[Year][device number]
Example: AMSLAP1801
You can find the device number you should use by checking the keys on the USB stick, or by checking the folder in Sharefile.
10. Software Installation
From the USB stick (Offline Encryption USB), install the following:
Google Chrome
Microsoft Office 2010 - customize this install and remove Outlook.
- activate office!
Citrix Receiver
McAfee Endpoint Security 10.5 (All options should be enabled)
Change search engine IE to google (not necessary but Bing is Bing)
McAfee browser toolbar, hide via McAfee settings
Citrix receiver, do not show automatically at login, tick box (not necessary, just to keep it nice and clean)
11. Enable Encryption
Go to File Explorer, right-click on C: Drive, 'Turn on Bitlocker' , when prompted choose 'Save to File' and save it to the offline encryption USB. Create a folder within Laptop Keys with the name of the device and the person to whom it will be assigned (if applicable).
Create a notepad file, add the username & password for the VGITAdmin account, the serial number and device hostname to the file and save in the same place as above.
Example notepad text:
Password VGITAdmin: XXXXXXXXX Serial Number: 037404375053 Hostname: AMSLAP1803 Type: Microsoft Surface Pro
There will be a weekly task to upload the laptop keys from the USB into Sharefile in the shared IT area.
12. Extra info
Do not forget to label the device! (including power brick)
Dedicated laptop or tablet? Only the user should know the password.
If existing, remove office 2016/365
Make sure to keep OneDrive!
If dedicated laptop or tablet, change display name User account to specific staff member name
On tablets, change setting so to insert password immediately when closing tablet
This guide explains how to update the firmware on HP servers using HP's SSP (Service Pack for ProLiant)
1. Download the latest SSP from http://www.hpe.com/servers/spp (if this link changes in the future you should be able to find this on the Firmware page on iLo) 2. If possible, drain the Virtual Host you want to update and place the host in Paused (maintenance) mode. 3. Connect with iLo to Virtual Host and attach the newly downloaded .ISO. 4. Reboot the Virtual Host and boot using the ISO. Successfully booting the .ISO should look like this: 5. Follow all on-screen instructions. Please note that it can take a while for the inventory to be finished. Getting disconnected from iLo at certain points is normal behavior. 6. When upgrading is done, start the server again 7. Mount the .ISO 8. run launch_sum.bat from the ISO's root folder (if nothing seems to happen, run as administrator). A webpage should be opened with "Welcome to Smart Update Manager" 9. Click "Localhost Guided Update" 10. Select mode Automatic. Wait until inventory is done. 11. When this process is done (it might take a while), you get a report that tells you if you need to reboot. Please reboot the server if one of the results state: 12. Take your Virtual Host out of Paused (maintenance) mode.
This article describes the basic set up and need to know information regarding the Deutsche Bank (DB) users in Mauritius who are currently connecting to Vistra systems.
General Description
DB users connect to Vistra via the Citrix Secure Gateway (CSG) through https://nlcitrix.vistra.com , using AD credentials and a safenet token provided by us.
They have credentials in work.local to do this. They are located in this OU:
work.local/Vistra/Mauritius/Users/New
Any issues logging in to CSG should be dealt with as a normal Vistra user.
Once logged into the gateway, they connect to one of the following:
DB MAU Desktop
This is for users who need access to EZE & VPM, & the generic mailbox.
VPM Desktop
This launches a desktop which gives access only to the VPM application.
Shared Mailbox
Only 2 DB users currently have access to the generic shared mailbox:
DB.VPMEZE@vistra.com
Those users are shahed.hoolash@vistra.com & Jeetamaroy.Chuckun@db.com
NO OTHER USERS SHOULD BE ADDED.
The mailbox is configured on their desktop using the username and password for that mailbox (details in PWM) and not using their own accounts, so access should not be granted via exchange.
Infrastructure:
VPM/EZE - Live Environment
The following servers are involved in the Verona/DB environment:
AMSSRVCTX009 (This is the Citrix server that DB users connect to.)
AMSSRVEZEUAT001 (this is the EZE server copied over from Luxembourg - TBC the date this goes live in AMS)
AMSSRVVPMAS002 - VPM Application Server
AMSSRVVPMPS002 - VPM PS Server
AMSSRVVPMWEB002 - VPM Web Server
Staging Environment
There is a staging environment set up for the Verona project which is segregated from the work.local domain and the Vistra network. It has a seperate AD structure and domain controller.
Servers in the staging environment:
STGSRVDC001 - Domain Controller
STGSRVDEV001 - Development Server
STGSRVDM001 - Document Management Server (Staging version Worksite)
STGSRVFS001 - File Server
STGSRVFTP001 - FTP Server (for data transfer between DB & Vistra)
STGSRVSQL001 - SQL Server
STGSRVTS001 - Terminal Services server, provides desktop environment for DB users to connect to staging version of Viewpoint
STGWRK001 - Virtual workstation for testing.
Currently Jonathan le Page, Craig Wilmott & Jamie Carter have access to the AD in the Staging Environment. DB Users will be added soon to be able to access Viewpoint via AMSSRVTS001. They will access via Bomgar PAM initially.
Abacus is a software application thats being used by the Zurich office. This application is installed on ZRHSRVAPP01. The contact person for this application is Stefan Schwizer (info@schwizer.ch / 071 388 87 86)
Please amend below settings if Abacus is not opening correctly on a workstation.
*Please make sure Java 32-bit version is correctly installed on the workstation!
Step 1: Open the Abacus shortcut from the Start menu
Step 2: Right-click on the downloaded .jnlp file -> choose open with
Step 3: Configure javaw as default for .jnlp files (C:\program files (x86)\java\X (depends on installed version)\Bin\javaws.exe
Stap 4: Close all open applications, re-open the abacus link and it will work
This guide provides information on how to purchase O365 licenses thru SoftCat's Ecat portal
1. Login to Ecat (https://ecat.softcat.com/) using your email address and the password you've set thru the ecat welcome email
2. If you are prompted with a screen that says "Select Account" > select VGMAL. If not, this means VGMAL has already been defaulted to your eCAT account and you can ignore this step.
3. Click "My Account"
4. Click "Managed Microsoft Cloud Services"
5. Click on Up and Down Arrow Keys or adjust the quantity as desired. Put a tick on the "acceptance message" and click "update". O365 CSP will send a mail about the license adjustment and will update the O365 portal 1-2 mins later.
7. If the license type is not available, it needs to be purchased. Click on Products > Software > Licensing > O365 CSP
8. Search for the Product and Purchase accordingly. This will require a PO number, please get it from the relevant orderindex spreadsheet in \\work.local\itsupport\Global\Accounts
On report from a staff member of receiving a potentially malicious email the following steps should be taken:
- Use Mimecast Tracking to establish who the Email was sent to as often this wont be isolated to a staff member
- You can then export the list of recipients by clicking Export Data:
- Add the malicious sender to the Blocked Senders Profile group in Mimecast to prevent any further emails coming in from them:
- If the malicious / phishing email contained a URL within the body of the email then this needs to be blocked in URL Protect Managed URL's:
- Use the URL Decoder to convert the re-written Mimecast URL to the original URL:
- Enter the rewritten URL and click Submit, this will then give you the original URL. Click the Add Decoded URL to Block button:
- Click on Logs to establish if anybody had clicked the URL prior to you blocking:
- Enter the URL into search (Remove any prefixes) and click the Search Icon to show if any staff have clicked on the URL. If they have you will see if Mimecast allowed the link at the time of the click in the Action field. If there are any that have been allowed the staff member should be contacted immediately to determine if they have entered any credentials / downloaded any files. If these are all Block you can disregard as Mimecast has not allowed any staff to click on the URL:
- If the malicious URL is within a PDF (Cant be written by Mimecast URL Protect) then you will need to block it on Bluecoat. Click Content Filtering / Policy / Blocked Domains/URLs:
- Click New:
- Enter the Original URL, add a comment and click Add Domains/URLs:
- Click Activate:
- Create a report in Bluecoat to check if any staff already clicked on the link by clicking on Reports and then Web Browsing per User:
- Customise the report options for the date and website required and click Run Report:
- You will then get a list of the staff members that have clicked on the link from within the PDF who should be contacted immediately to determine if they have entered any credentials / downloaded any files:
- A communication should be sent to the staff that received the malicious / phishing email to ask them to delete the email and contact IT Support immediately if they have clicked and links / entered any credentials.
If a staff member has entered any credentials then their AD account password should be reset immediately.
If a staff member has clicked on a malicious / Phishing link then a Full AV Scan should be run on their Computer / Citrix Server
- A Zendesk Security Incident should be raised about the event including all information about it and remediation that was completed.
- The malicious / phishing email should be reported to Mimecast via Tracking:
- If it a phishing email that could be easily replicated but sent from another email address / use different URL's then a Content Examination Policy should be setup in Mimecast to detect similar emails in the future and hold them:
For setting up SLDAP for use with Mimecast / Intranet you will need an available external IP to be used for a NAT and then configure the below firewall rule to allow traffic to pass over Port 636:
Below Interact & Mimecast SLDAP IPs --> TCP 636 (SLDAP) --> Available External IP Address --NAT--> Domain Controller
Interact SLDAP IP's: 52.31.52.93 and 178.255.66.130 Mimecast SLDAP IP's: 195.130.217.0/24, 91.220.42.0/24 and 185.58.84.0/22
Create an SSL certificate with an External Certificate Authority (e.g. Globalsign). The convention used is sldap.vistra.com prefixed with the country code (e.g jersldap.vistra.com) as the Common Name for the SSL
Install the certificate into the NTDS\Personal store on the Domain Controller:
Create an external DNS record to match the Common Name of the SSL certificate which points at an available External Public IP on your firewall
Setup an OU in Active Directory called ‘Intranet Groups’
Setup a user account to be used for the SLDAP sync (e.g. svcsldap) which is just a domain user
When this is setup, you will need the following details so that the connectors can be configure on Interact / Mimecast:
Domain LDAP path (e.g. dc=test,dc=co,dc=uk).
Interact Groups LDAP path (e.g. OU=Intranet Groups,dc=test,dc=co,dc=uk)
Common Name of the SSL certificate
Domain Name
Functional level of domain
SLDAP Windows Username (with Domain User privileges).
SLDAP Windows User Distinguished Name (e.g. CN=svcsldap,OU=Users,dc=test,dc=co,dc=uk)
SLDAP Windows User Password
(To be provided over the phone or via SMS)
To add the SLDAP connection to Mimecast, Login to Admin Console and then click Administration / Services / Directory Synchronization:
Click New Directory Connector Button:
Fill out the required information and tick the check box and then click on Test Connection. If successful then Save and Exit the new connector:
To add the SLDAP connection to Interact Click on Settings / Application Settings:
Click on Manage People:
Click Manage Profile Sources:
Click Active Directory:
Enter Connector information on all tabs (Review existing work.local connector for settings): Note. in the Group Distinguished Name field, remove the Base DN from the full path
Click to Test the new connector and you should receive a tick:
This page contains information about how Caseware was set up. In case of issues, you should be able to do basic troubleshooting.
Caseware is a streamed app installed on AMSSRVCTX010. It uses AMSSRVCW002 (Smartsync Server) as a file repository. This way users can work together on files.
There are 2 security groups. Depending on where the user is located you choose the correct one (Amsterdam or Rotterdam).
On AMSSRVCW002 there is a folder located on the E:\ with 2 folders. One for Rotterdam users and one is for the Amsterdam users. The security groups below determine who should have access to which folder. By default, if a user is located in Amsterdam he should have access to only the Amsterdam files, vice versa.
Security - Rotterdam Caseware(Applies 2 GPO's located on OU=Terminal Servers,OU=Amsterdam,OU=Vistra,DC=work,DC=local)
- Vistra - Rotterdam - User - Mapped Network Drives (Caseware) (Mounts a W:\ drive for the user which is pointing to \\amssrvcw002\cwnlrtm$ (E:\Caseware\CWLIB\CWNLRTM))
- Vistra - Rotterdam - User - Caseware Registry Settings (Applies 3 registry entries which determine the settings for the Caseware tool and which Smartsync server caseware should connect to.)
Security - Amsterdam Caseware(Applies 2 GPO'slocated on OU=Workstations,OU=Amsterdam,OU=Vistra,DC=work,DC=local)
- Vistra - Amsterdam - User - Mapped Network Drives (Caseware) (Mounts a W:\ drive for the user which is pointing to \\amssrvcw002\cwnlams$ (E:\Caseware\CWLIB\CWNLAMS))
- Vistra - Amsterdam - User - Caseware Registry Settings (Applies 3 registry entries which determine the settings for the Caseware tool and which Smartsync server caseware should connect to.)
Caseware streams 3 other applications to the users. See below.
Caseware - Explorer: Users need to be able to drag and drop files in caseware. Since it's a streaming app it's not possible to drag files from your local machine to it. So you need to the explorer that is streamed from the server.
Caseware- Region Settings: Users need to be able to change the comma and dot settings for the docs. They can do this with the Region and Language settings
Further details:
- The smartsync server is setup using the SVCCW account. If something is not working please make sure this account is unlocked.
- On the AMSSRVCW002 server, there are 2 services that are important for a good running Caseware. Make sure these services are always running. If Caseware is not able to connect to smartsync you might need to restart one of these.
- Caseware information/support can be found here: https://support.caseware.nl/hc/nl
Please find below the new proposed leavers process for On-Premise work.local Exchange users.
Please ask your teams to start running with this and advise if there are any updates / additional items required. I will also add this into a Zendesk KB article which can be updated as required. When we have the IAM solution rolled out, we will be able to automate a lot of the items below.
Further processes will follow for O365 leavers and non-integrated office leavers.
Leavers Process – Email – On Premise work.local Exchange User
Move the AD account to the Leavers OU for the Jurisdiction
Disable Account / Set Expiry
Add the staff member to the group ‘Security - Mimecast - On-Premise Leaver Email Routing’. This will then allow Mimecast to Route the email for the leaver to the correct exchange organisation to receive an out of office. (Complete this on an Amsterdam Domain Controller as Mimecast SLDAP is setup to AMSSRVDC002 and then run a Mimecast Directory Sync to pickup this change. Automatic Syncs happen at 8am / 1pm / 6pm / 11pm GMT)
Delivery Routes are configured on Mimecast to Route the email to On-Prem or O365 for Out of Office Messages
Remove the Staff Member from all AD Groups (Mimecast Sync to have been completed first to pickup new routing)
Hide the Mailbox from Exchange Address List
Set Out of Office on mailbox either via powersell or Exchange Server 2010/2013 Out of Office tool on the Admin servers.
To change the internal and external OoO message using powershell:
Set-MailboxAutoReplyConfiguration –identity “username” –InternalMessage “{Name of leaver} no longer works for Vistra and you email has not been delivered. For further assistance, please resend your email to {nominated person’s email address}.” –ExternalMessage “{Name of leaver} no longer works for Vistra and you email has not been delivered. For further assistance, please resend your email to {nominated person’s email address}.”
To enable the out of office message using powershell:
Remove any Delegated / Full Mailbox Access that other Staff members may have to the mailbox
Remove any Send As Permissions
Disable Mail Features from the mailbox only leaving MAPI enabled
Should a Forward be requested (For highly exceptional circumstances) on the Leaver form then this should be set by a Mail Flow Delivery Option. Note that the email should also be delivered to the mailbox to trigger the Out of Office response:
Update the Description of the AD Account to the Leave Date:
Should the London accounts team submit any cases in regards to Sage 50 Accounts taking a long time to open, or is running really slow, please use the following to resolve:
Note: You will need to ensure all users are out of Sage before you continue, otherwise you will run the risk of corrupting Sage data, I would suggest to call the user who has reported the issue and ask them to confirm that everyone is out of Sage before you continue to be safe.
Log in to LDNSRVFS001, and open up services. You will need to find the following 2 services:
Stop the 'Control' service first, and then stop the 'Service' service second, this always fails to stop, so you will need to use the following command in CMD (elevated): taskkill /f /pid:<enter PID number here>.
You can find the PID number of any service that is running in Task Manager:
Once both services are stopped PLEASE ENSURE you start the 'Service' service first, and then the 'Control' service second. Once both are up and running again, you can instruct the accounts team to use Sage 50 Accounts again.
If exporting data from Viewpoint in to Excel fails, I have provided a work around.
When exporting data, ensure that the settings match the screenshot below:
This will copy the exported data to the clipboard. Now open up a new Excel Workbook, right click on the first empty field (A1) and click 'Paste Special...':
Then on the following window that appears select the source as 'Text', and then Click 'OK':
This will paste the exported data in to its correct format.
This sheet is created to be used for Quarterly task T39.
1. Open Internet Explorer and browse to the Nimble webinterface (check PM for login credentials)
2. Go to administration -> software:
3.This is the overview of the currently installed Firmware version. Click on download to get the latest firmware version. Once downloaded, create a Request for Change to plan the update. Click on update once approved and monitor the process.
*Please note that using the download button you will get the InProduction firmware versions. If you do not get the latest version, please contact Nimble support -> Please see step 4
4.They can provide a direct link to download the firmware. Once you've downloaded the firmware, you can manually upload by using the upload button. Please see below screenshots to manually upload the firmware. Once uploaded you can click on update to perform the update.
This list is progressive as deployment of O365 products continues:
work.local/Vistra/_IT Users work.local/Vistra/Amsterdam/3rd Party - Mckinsey work.local/Vistra/Amsterdam/Distribution Groups - O365 work.local/Vistra/Amsterdam/Users work.local/Vistra/Amsterdam/Users/BSS work.local/Vistra/Bristol/Users - O365 work.local/Vistra/Bristol/Distribution Groups- O365 work.local/Vistra/CEE/Users work.local/Vistra/CEE/Users/VFS work.local/Vistra/Curacao/Contacts work.local/Vistra/Curacao/Distribution Groups work.local/Vistra/Curacao/Leavers - O365 work.local/Vistra/Curacao/Shared Mailboxes work.local/Vistra/Curacao/Users work.local/Vistra/Cyprus/Distribution Groups - O365 work.local/Vistra/Cyprus/Users work.local/Vistra/Cyprus/Users/Jordans work.local/Vistra/Cyprus/Users/OF work.local/Vistra/Frankfurt/Service Accounts work.local/Vistra/Hong Kong/Users work.local/Vistra/Hong Kong/Users/OF work.local/Vistra/India/Contacts work.local/Vistra/India/Distribution Groups - UJWAL work.local/Vistra/India/Distribution Groups work.local/Vistra/India/Leavers work.local/Vistra/India/Leavers - UJWAL work.local/Vistra/India/Shared Mailboxes work.local/Vistra/India/Users work.local/Vistra/India/Users - UJWAL work.local/Vistra/Jersey Group Management/Users work.local/Vistra/London/Users work.local/Vistra/London/Users/OF work.local/Vistra/London/Users/USA2Europe work.local/Vistra/Luxembourg/Users/_OF work.local/Vistra/Luxembourg/Users/_VL work.local/Vistra/Mauritius/Distribution Groups work.local/Vistra/Mauritius/Leavers - O365 work.local/Vistra/Mauritius/Security Groups/Mailbox Access work.local/Vistra/Mauritius/Shared Mailboxes work.local/Vistra/Mauritius/Users work.local/Vistra/Seychelles/Distribution Groups work.local/Vistra/Seychelles/Shared Mailboxes work.local/Vistra/Seychelles/Users work.local/Vistra/Sydney/Contacts work.local/Vistra/Sydney/Distribution Groups work.local/Vistra/Sydney/Leavers work.local/Service Accounts/_O365 Vistra Tenant work.local/OIL/BVI/Distribution Groups work.local/OIL/BVI/Users work.local/OIL/Hong Kong/Users work.local/OIL/Hong Kong/Users/BSS work.local/OIL/Hong Kong/Users/IT work.local/OIL/Shanghai/Users/IT work.local/OIL/Singapore/Users/IT work.local/Orangefield/Soest/Users O365
************************************************************************* To Add an additional OU please carry out the following:
Login to AMSSRVADFS001 Open Azure Synchronization Service Manager Click on the Connectors, Right Click on the work.local connector and select Properties:
Select Configure Directory Partitions and click on Containers:
Enter the password for svcazure and click OK:
Select the OU that you would like to sync and Click OK, Click OK:
Open Active Directory Module for Windows PowerShell and run the following command to set off a sync: Start-ADSyncSyncCycle -PolicyType Delta
You can then either check that this has completed via the Syncronization Service Manager or from the O365 Dashboard:
To temporarily disable DLP on a specific machine to allow USB or upload access for a non-specific
Log into https://amssrvepo001:8443 via your browser.
(For Swiss offices use https://zrhsrvepo01:8443, for Luxembourg use https://luxsrvepo01:8443)
Go to Menu>Help Desk
On the next page, complete the User's name, email address, workstation number and the reason for the bypass.
Then, On the target workstation/server, right-click on the McAfee Agent system tray icon, choose 'Manage Features' then 'DLP Endpoint Console'
**NOTE**
If this is not visible (usually because you are connected to the machine via RDP) then navigate to :
C:\Program Files\McAfee\Agent and open a command window from that location.
Then type: cmdagent.exe /s and hit enter. This will launch the McAfee agent status monitor and make the agent visible in the system tray.
You can find the name of the policy & the Revision ID from the Endpoint Configuration part on the 'about' tab.
Then, click on 'Tasks' and copy the identification code into the Help Desk window.
**Important**
Before you click 'Generate Code' make sure to set the bypass duration to the appropriate time. This defines how long DLP will remain disabled for, and needs to be set to the least required time.
Once you generate the code, copy it into the 'Release Code' field in the Enpoint Console on the user's machine, then click 'Start Bypass'
DLP will remain in bypass mode for the amount of time specified in the Help Desk tool.
If you have any questions about this, contact Amsterdam IT on +31 88 560 9900
When setting up a new Macbook for a user, follow the below steps. It is important these steps are completed BEFORE the user is given the device & adds an iCloud/iTunes account to it:
Initial Config
During initial config of the device, set the language to English and set appropriate time zone when prompted.
When prompted to sign-in to an Apple account, choose the option 'Don't sign in'
Create the user with the windows username of the person to whom the device will be given, and then set the password to the standard Vistra login of 'LetMeIn' - the user will change this when they connect their Apple account to the device.
Once initial setup is completed, the following MUST be done:
Security
Go to https://vistra.sharefile.com and download the McAfee Endpoint Security for Mac package which is located in: Shared Folders>IT Support>Laptop Setup (login details in the Password Manager)
Install the package, you may have to enter the login password for the Mac to allow the Safari addin to be installed.
You will then need to activate FileVault (file encryption for Mac) to do this, click the apple icon in the top-left of the screen and go to System Preferences.
Choose "Security & Privacy" and then "FileVault"
Click on the lock in bottom-left of the window, and then enter the MacBook password to unlock.
Click the 'Turn on FileVault' button and then DO NOT CHOOSE TO STORE THE ENCRYPTION KEY WITH APPLE.
Make a note of the encryption key and upload it to Sharefile in: Shared Folders>IT Support>Laptop Setup>McAfee Offline Encryption>Encryption Keys
The encryption will continue in the background after a restart, while you work.
Citrix Install
Go to receiver.citrix.com then download & install the Citrix Receiver for Mac
Then create bookmarks for the following 2 pages in Safari:
https://nlcitrix.vistra.com (or other Citrix link relevant to the user's location)
You need to download and install the registered version of PHPRunner: 32bit: http://www.asprunner.com/files/webreports/phprunner98-setup.exe 64bit: http://www.asprunner.com/files/webreports/phprunner98-setup64.exe
To download the software use the following: Username: webreports Password: web!12~
------------------------------------------------ I also recommend you to check the Templates Pack that includes Shopping Cart, Calendar and Members templates at http://www.xlinesoft.com/templates. Using these templates you can build a fully-functional, completely customizable eCommerce and intranet websites in matter of minutes.
If you lose your key file and need to re-install this software, just drop a note to support@xlinesoft.com and I'll send it to you again.
If you need any help using PHPRunner feel free to ask your questions in PHPRunner forums at http://www.asprunner.com/forums/index. Our experts are always ready to help.
Created: 18/09/17 Team Working on Project: Jon Le Page / Ambrus Porcsin / Matthias Thömmes
Due to email routing constraints with the managed Datev data centre solution that Optegra are currently using, we are not able to route outbound emails via Mimecast like we would normally with other integrations. Due to this the email flow will be the following:
The following OU’s created to host mail users for email routing and address book for work.local staff:
These AD following groups are used for the email Routing. Any new starters for these offices should have a Mail User object created in the correct OU above and added to their offices group below: Email - All Vistra Cologne Contacts CN=Email - All Vistra Cologne Contacts,OU=Distribution Groups,OU=Cologne,OU=Vistra,DC=work,DC=local Email - All Vistra Munich Contacts CN=Email - All Vistra Munich Contacts,OU=Distribution Groups,OU=Munich,OU=Vistra,DC=work,DC=local Email - All Vistra Hamburg Contacts CN=Email - All Vistra Hamburg Contacts,OU=Distribution Groups,OU=Hamburg,OU=Vistra,DC=work,DC=local Email - All Vistra Leipzig Contacts CN=Email - All Vistra Leipzig Contacts,OU=Distribution Groups,OU=Leipzig,OU=Vistra,DC=work,DC=local
Delivery routes created on legacy Mail Marshal Servers:
Exception added to the Spoofing Rule on Legacy Mail Marshal Servers:
Profile Group created on Mimecast with Optegra.de Addresses to be used in Forwarding Addresses:
Forwarding Addresses created on legacy Mimecast for the Vistra.com Addresses to forward to Optegra.de:
Content Examination Exception added to bypass the Anti Spoofing Rule when coming from the Datev Mailgateway IP addresses:
Greylisting Exception added for the Optegra Email Groups as they are not routing Outbound via Mimecast so wont have built up their Auto-Allow lists:
Impersonation Protect Exception added for Optegra Email Groups when coming from the Datev Mailgateway IP addresses:
Blocked Senders Exception added for Optegra.de due to email forwards that have been setup:
Datev Mailgateways added into the Vistra.com SPF Record due to them not routing outbound via Mimecast:
The Business Systems team may receive updated License files from Viewpoint if they purchase additional features or license counts.
When Viewpoint send the license file, they often call this 'vistra viewpoint.lic'. This needs to be renamed to just 'viewpoint.lic' ready for putting in place.
This license file should first be put in place for the Test Viewpoint for the BSS team to check and approve for it to be put live.
Connect to the relevant Test Viewpoint program files, for example: \\jersrvsql01\vpapps$\JERVIEWPOINTTEST\Program
Rename the existing viewpoint.lic file to viewpointReplaced%Date%.lic
Copy the new 'viewpoint.lic' license file into the Viewpoint Program Directory
Run Viewpoint Database Management from the Viewpoint Program Directory:
Login using the viewpoint username and password:
Credentials can be found here in the password database:
Click on Change License Option from the left navigation bar to view the new license information:
Click on the License Configuration tab to see which features will be added / removed with the new license file and click Apply Changes:
Click OK:
Click OK:
Close Viewpoint Database Management and login to Viewpoint. Click on the Viewpoint tab and select About from the list:
Check that the license has applied and click OK:
Ask the BSS team to test the new license in UAT and approve the change for Live and then repeat the above process for Live.
If there are any issues with the new license file then revert to the previous license file.
In Zurich there are 2 kinds of printers. Those coming from the Print server and the others directly attached to a PC (label printers).
All settings for all printers are the same:
1 sided print
Black and white
These settings were asked to be in place by Bruno Sidler to all printers.
Print server: ZRHSRVDC001
IPs of all Printers in the Print Server:
There are 5 Canon Printers using the following Driver:
Canon Generic Plus UFR II
There are 6 HP Printers using the following Driver:
HP Universal Printing PCL 6
There is 3 Brother Printer using the following Driver:
Brother HL-3170CDW series
All Drivers got updated since Microsoft nowadays is forcing all printer vendors to create Signed Drivers and package-aware.
Without these type of drivers you probably get this:
For Vendors that do not update their drivers, there is a way through GPO to disable that popup.
In addition to update drivers I have performed the following tasks to the print server:
All other older drivers were removed.
All other TCP ports were removed.
Since there was no GPO for Printers and all users had it manually connected I had to create a GPO for it.
GPO:
Vistra - Zurich - User Printers
Computer Settings (These settings will make sure about non-aware package drivers to be silently installed.
Computer settings:
Names of Print server and ZRHWRKXXX that have brother printer's shared on them have been added to following strings in the policy.
Computer Configuration > Administrative templates > Printers > Package Point and print > Approved servers
Computer Configuration-> Administrative templates > Printers > Point and Print Restrictions
User Settings:
All printers are created and there are groups defined per printer to allow a user / group of users to have it assigned to its own PC. Those groups are under the OU named Printers.
For example:
If a user needs the printer ZRHPRN001:
You need to add that user to the group:
Security - Zurich Printers ZRHPRN001
The user then needs to log off and log back in to get the membership of that group and printer will be added automatically.
Regarding the Label printers, there are two computers at this moment with those printers shared on the network.
ZRHWRK043 and ZRHWRK045
If someone needs access to those printers, like above, you add them to the relevant security group:
Go to the ‘My Account’ tab and download the Bomgar representative console:
During installation, install the Bomgar display driver when given the option.
Once installed, you can then log into the tool using the Vistra IT admin account.
Connecting to Workstations
There a several available methods for connecting to a workstation using Bomgar, 3 of these are explained below.
Method 1 – Jump
The main screen of the console is split into 2 main parts:- the top half of the screens contains the connection queues and displays any currently active sessions.
The bottom half of the screen displays the jump clients installed on the endpoints. Click ‘refresh’to update the display with the currently active clients.
To use the ‘Jump’method simply double-click on the desired workstation in the list. The user will receive a pop-up on their screen informing them that you are trying to connect to their workstation. They will need to click ‘allow’ before you will be able to see their screen.
Method 2 – Jump To
At the top of the screen in the console, you will see the ‘Jump To’ button.
Click this, then change the ‘Jumpoint’to the location closest to the office you want to connec to. Then, enter the hostname of the workstation (ie. UKBRSWRK013) and click ‘Jump’, you will then need to enter credentials with admin access to the specified workstation. Again, the end user will need to allow the connection.
Method 3 – Remote support link.
You can email the end user a remote support link using the console. To do this, click the ‘Start’button in the top-left corner of the representaive console.
You should see this screen:
Click on the ‘email’ button to send a link directly to the user.
You’ll notice you can also access the other Jump methods from this start button. If for any reason you are not able to start the connection with the workstation, the user’s can go to https://nlremotesupport.vistra.com to initiate the connection from their side.
Once connected, you will have full access to the workstation and Bomgar will keep the connection alive if you need to reboot the machine you’re connected to.
- Press F12 intill you face the "One Time Boot Menu"
- Click on "Onboard NIC"
The PC will then connect to JERSRVWDS01 and pull down the boot image file
Setup will begin
Change Locale from "US" to "United Kingdom"
Enter your admin credentials (Make sure you enter work\ before your username)
Pick the image you would like to use on the PC: JERWRK - Jersey Image VGMLWRK - VGML Image Blank PC - Clean Image
The PC will then start to image and this will take around 10/15 minutes.
You will then be logged in with the Europe-IT account automatically and the batch file with all the installations will run (This will take a further 5 minutes to run and install)
Once the batch file has been ran change the PC object name from JERWRK009 to the PC name which is labelled on the sticker on the top of the PC.
Restart the PC and the imaging process is complete, shut down the machine and the PC is ready to go.
Datev lately has been updated to windows 2016 server by the vendor. It causes some issue while setting the account for outlook. In the attachments you can find an instruction and required files
Connection to Datev.
create a shortcut to the server of DATEV of the staff's desktop:
http://dcsgvistra.geiger-bdt.de/
withing the Citrix session for Datev, please enter the O365 details for Outlook 2013
user is invoicing.fra with invoicing.fra@vistra.com as email address. The password can be found in the password manager
This is only to be used for emergency IT instances. If any issues can wait until normal working hours then please send an email to itsupport@vistra.com.
The on call IT emergency telephone number: +31 88 560 9911
This number is also given in the recorded message when calling the Amsterdam IT team out of working hours.
If you want to setup an Exchange account on a MacBook please disable the Auto-discover. Here is how to do this:
Disable Exchange Autodiscover on Outlook
While Autodiscover with Microsoft Exchange can be great, sometimes a company can have a rather difficult DNS setup. Maybe it's their use of internal and external DNS servers with different IP addresses and hostnames for the mail server if you're on the network (in the office) versus when you're not. This can wreak havoc on Outlook's autodiscover feature. To disable Autodiscover, close Outlook completely, launch AppleScript, and type the follwing command (be sure to change AccountName to the profile name in Outlook.
After you hit the play button to run it, you can close AppleScript and reopen Outlook. Autodiscover will now be disabled so whatever server settings you put in, will stay.
Please be aware that I have now setup the Cyprus Viewpoint Nirvana environments ready for the BSS team to start working with.
Note, this Nirvana database will note be used staff in Cyprus at this time and Unity remains the Live database for staff to carry out their day to day work.
Access to open this Viewpoint Nirvana environment is controlled with the following security group: Application - Cyprus Viewpoint Users
When a staff member is part of the above group they will then be presented with the two Citrix Published apps below to access the environments. For Go-Live, staff in the Cyprus office will access this from their Start Menu and launch locally rather than via Citrix:
To identify whether a staff member is using the Live or Test environment look at the menu bars. If it is yellow as bellow the staff member is in TEST, which can also be identified by the bottom status bar which displays the environment name and also SQL Instance / Database:
Access to the site requires for the staff member to be part of the Viewpoint Security group Application - Cyprus Viewpoint Users and then access to sub folders is controlled by the following groups:
Application - CYP Viewpoint SSRS - Accounts Report Access Application - CYP Viewpoint SSRS - Administrators Report Access Application - CYP Viewpoint SSRS - Chargeability Reports Access Application - CYP Viewpoint SSRS - Compliance Reports Access Application - CYP Viewpoint SSRS - Finance Reports Access Application - CYP Viewpoint SSRS - Test Users
Any modification to these AD groups should come via a request from the BSS team to ensure that the staff member is suitable for access to the specific reports.
Please be aware that I have now setup the Jersey Viewpoint Nirvana environments ready for the BSS team to start working with.
Note, this Nirvana database will note be used staff in Jersey at this time and the existing Viewpoint (JERSRVSQL01\JERVIEWPOINT) remains the Live database for staff to carry out their day to day work.
Access to open this Viewpoint Nirvana environment is controlled with the following security group: Application - Jersey Viewpoint Nirvana Users
When a staff member is part of the above group they will then be presented with the two Citrix Published apps below to access the environments. For Go-Live, staff in the Jersey office will access this from their Start Menu and launch locally rather than via Citrix:
*************************************************************************************** The Viewpoint Launch Path Directories for both the Live and Test Nirvana are in the following location:
To identify whether a staff member is using the Live or Test environment look at the menu bars. If it is yellow as bellow the staff member is in TEST, which can also be identified by the bottom status bar which displays the environment name and also SQL Instance / Database. Note that the Nirvana Live is currently green due to Jersey already using Viewpoint, this will be changed to white when this new environment goes live:
Access to the site requires for the staff member to be part of the Viewpoint Security group Application - Jersey Viewpoint Nirvana Users and then access to sub folders is controlled by the following groups:
Application - JER Nirvana SSRS - Accounts Report Access Application - JER Nirvana SSRS - Administrators Report Access Application - JER Nirvana SSRS - Chargeability Reports Access Application - JER Nirvana SSRS - Compliance Reports Access Application - JER Nirvana SSRS - Finance Reports Access Application - JER Nirvana SSRS - Test Users
Any modification to these AD groups should come via a request from the BSS team to ensure that the staff member is suitable for access to the specific reports.
AIS Business Application Support Procedures and Contacts
The P1 out of hours support is an Engineer to Resolution service for MobileIron Critical issues only.
If you experience a critical issue outside of standard business hours (Monday-Friday 9:00-17:30 GMT) call the P1OOH number to speak to an engineer on call.
This on call service is provided 24x7x365.
Standard Business Hours
During the hours of 09:00 to 17:30 Monday to Friday GMT you must log calls via the normal method.
Phone: +44 (0) 2036 515 392
Email: Support@cwsi.ie
Outside Standard Business Hours
Outside of standard business hours you must phone the on call number which is provided below.
As of 1st of August 2017, the Quorum database from Jordans has been migrated to the Vistra virtual hosts in Cyprus. The Cyprus office already owns a Quorum instance. Now they have 2 different Quorum databases
Install application
**Please note that you do not have to install the client for the Jordans database if the client for the Vistra database has already been installed. Please refer to below if you want to connect to the Jordans database with an existing client
1. Open a web browser on the users pc and navigate to http://jordanscx:3030
2. install the client by clicking Install
3. Once the application has been installed make sure you connect to the right database by filling in the right server name. Leave everything else default
Creating users
Please make sure you have enough licenses before creating users.
1. Login to with the Quorum client using the administrator account. Credentials can be found in password manager
2. Click Maintenance -> Employees. In here you can create as many users as you want.
3. Assign the license by clicking Security Settings -> Green PLUS
4. Select the user that needs to login and fill in required fields like below. Please note that you do not have to fill in level 2 password. Please make sure you tick Enable Corporate and Enable Banking.
Now the user is able to login.
Please note that if you get the following error when pressing save you do not have enough licenses. Either new licenses need to be bought or you have to discuss with the MD if you can remove existing users from the Security (License) page.
8.For $DB, enter VPM3 or VPM6 as appropriate to the environment with the backlog
9.Update the $fnCode variable with the code noted in step 5
10.Execute. This script will place all records with that fund code on hold and subsequently enter a loop which will release the holds one by one provided there are no more than 3 non-held records in the queue at a time. Items for other funds will then be able to jump to the head of the line.
b.VPM Rebuild Queue Backlog – Process Server Not Running
i.Resolution (end-user accessible)
1.Launch VPM15 (same as above)
2.Click the System ribbon, Status button in the Process Server section on the left
3.Click the Start button in the right corner of the Status tab
ii.Resolution (admins only, if steps above fail to restart the Rebuild Queue)
1.Launch Admin VMware
a.Enter ps-it-admin-01.cac.nnw for IP Address/Name
b.Check “Use Windows session credentials”
2.Open a console window to PS-RB-VPM-15
a.Username – cacnnw\sungard
b.Password – Please call +1 212-500-6170
3.Open services.msc (pinned to taskbar)
4.Restart service Sungard VPM PS
c.Bloomberg Console – connection limit reached
i.Cause – stale vSphere console session
ii.Resolution
1.Launch Admin VMware
2.Choose Administration->Sessions
3.Log off any idle end-user sessions
4.Please do not log off sessions for any of the following accounts:
This article is created to explain how to change the tapes within the Cyprus office to ensure smooth back-ups. The daily checks have to reflect with the below (On Friday tape should be inserted and on Monday a new tape should in inserted).
To be done on Friday
To be done on Monday
Every day there will be a tape back-up running. Every Friday Lilia from the Cyprus office has to put in a new tape. This tape has to be labeled as below:
Tape ID : 1 + week-number + year
This back-up will run until Monday and contains 2 tapes. So on Monday the office has to be contacted to make sure the second tape has been inserted. Lilia has to label this tape as:
Tape ID : 2 + week-number + year
Please note that by the end of the month the label from the tape has to be different:
Tape ID: 1 + month + year
Example: Tape 1 July 2017, the tape on Monday should be labeld as Tape 2 July 2017.
Please see below tabel. On Tuesday, Wednesday, Thursday Lilia has to fill-in the tape that is labeled with that day (same as in Amsterdam).
Go to Menu > Policy Catalog, then click on 'Vistra - Client Configuration'
Choose 'Web Protection' on the next page, then scroll to the bottom of the right-hand pane.
Fill in the protocol with http or https, then the url (this should be the top-level domain only - for example, vistra.com, not vistra.com/remote)
Click 'Add', then 'Apply Policy' , when the agent on the user's workstation updates policies (this happens once per hour) then they should be able to upload to the site.
AMS - Create Permanent DLP Bypass for Removable Storage
This guide details how to permanently bypass a specific USB/Removable storage device for users in the AMS hub / Connected to the AMS EPO.
**NOTE - Users MUST have approval for this from the appropriate person in their office**
Step 1 - Identifying the device
Connect remotely to the user's workstation and then go to this location from their desktop:
\\AMSSRVDC005\NETLOGON\Global\DLP
**Note that you need to replace the server name with whichever domain controller the user authenticates with
**Ask the user to unplug the USB device, then plug it back in.**
Run 'USBDeview.exe'
This tool will show you a history of all devices connected to the workstation, click on the column 'Last Plug/Unplug' to sort the column by most recently connected device.
Right-click on the device, click 'Properties', this will show you the information for that device. You can copy and paste from this.
Copy the Serial number, the Vendor ID & the Product ID
Make sure that 'Product' is set to Data Loss Prevention 10'
Click on 'Vistra - DLP Policy'
Then click, 'Vistra - Device Control'
Click on 'Block Removable Media'
On the next page, click 'Exceptions' and then the 3 dots next to the list of devices:
This brings you to the list of 'allowed' devices, click on 'New Item', then you'll see this screen:
From the categories on the left side, click 'USB (VID/PID Codes) & USB Device Serial Number.
Change the name to something which describes the device best, for example: 'AMS - CommerzBank USB - Roel'
Enter the Vendor ID, Product ID & Serial number you copied earlier from the USBDeview.exe tool, then click 'save' in the bottom-right.
This brings you back to the list of allowed devices, make sure your new item is checked, and then click 'OK'.
Click Save again in the bottom right corner.
Now, go back to Menu>Policy Catalog> Vistra - DLP Policy. You should then be back on this screen:
As in the screenshot above, you should see that there are pending changes. Click 'Apply Policy'
This screen appears to confirm which policy is being updated, click 'Apply Policy' again:
You should then see this screen:
The device you added will now be allowed but monitored by McAfee DLP, as soon as the McAfee Agent on the user's workstation updates policies (this happens once per hour) then the user can use the device.
For Information, the following share was created for colleagues in India to share data while logged into the NL Viewpoint - India citrix environment
Share name is 'VistraIndia$' and it maps to: \\AMSSRVFS001\VistraIndia$
This has been added to the start menu for the NL Viewpoint Desktop - India as 'Vistra India AMS Share'
There is a security group giving read/write access to the share, anyone requiring access needs to be in the following security group: 'Security - Amsterdam - Vistra India Share'
When creating new Employee’s in Vistra Sharefile please ensure you disable the below permissions for all staff members, below permissions with the arrow next to them need to be disabled If these aren’t changed on employee creation by default they are given the below in yellow permissions by default.
Unfortunately we are unable change the default permissions at this point so this will have to be completed manually when creating the user.
Please also change the storage zone from Public Cloud to Private Cloud (As stated below). This ensures there that there upload data is stored in our on prem storage zone rather than Sharefiles cloud storage.
To add Representatives to Bomgar Remote Support, do the following:
For IT Support users, add to this AD group:
Application - IT - Vistra Group - Bomgar ITreps
For Business Systems Support users, add to this AD group:
Application - IT - Vistra Group - Bomgar BSreps
Once added, allow time for replication (usually only a few minutes), they can then go to https://nlremotesupport.vistra.com/login to download and install the Bomgar Representative Console.
See this KB for a guide on using the support console.
Please be aware that whilst investigating an issue with the Amsterdam Indexer yesterday with an engineer from Phoenix I found that the issue was due to the version of Java being updated.
When installing updates to the Worksite indexers, please leave the Java at version 6 as it seems from version 7 Java no longer has a verify.dll that the Worksite Connector service is looking for and fails without:
C:\Program Files (x86)\Java\jre6\bin\verify.dll
Please also note that there is a specific stop / start order for the Indexer services and if these are not followed can corrupt the search index for Worksite and they will require a full re-index.
Service Stop Order:
Worksite SyncTool
Worksite Connector
Worksite Ingestion
Worksite Active DIH
Worksite IDOL
Worksite Active Content Engine
Worksite Content Engine (All) (3-2-1)
Reboot the server
Service Start Order:
Worksite Content Engine (All) (1-2-3)
Worksite Active Content Engine
Worksite IDOL
Worksite Active DIH
Worksite Ingestion
Worksite Connector
Worksite SyncTool
Please notify the BSS team if you are updating the Indexers so that they are aware if staff start reporting issues to them and also carry out worksite searches post installing updates.
Please be aware that I have now setup the Bristol (Jordans) Viewpoint Nirvana environment ready for the office to start testing with prior to integration.
Access to open this Viewpoint Nirvana environment is controlled with the following security group and is currently only available via London’s Citrix Farm. The relevant Bristol office staff will be added after the BSS team have carried out their initial checks: Application - Bristol Viewpoint Users
When a staff member is part of the above group they will then be presented with the two Citrix Published apps below to access the environments. For Go-Live, staff in the Bristol office will access this from their Start Menu and launch locally rather than via Citrix:
******************************************************************************************************************************************************************************* The Viewpoint Launch Path Directories for both the Live and Test Nirvana are in the following location
******************************************************************************************************************************************************************************* To identify whether a staff member is using the Live or Test environment look at the menu bars. If it is yellow as bellow the staff member is in TEST, which can also be identified by the bottom status bar which displays the environment name and also SQL Instance / Database:
These are the SQL databases that are used for the Live and Test instances of Bristol Nirvana Viewpoint:
******************************************************************************************************************************************************************************** The Viewpoint Reports SSRS Site can be accessed from the following link: http://ldnsrvsql001/Reports_BRSVIEWPOINTSSRS
Access to the site requires for the staff member to be part of the Viewpoint Security group Application - Bristol Viewpoint Users and then access to sub folders is controlled by the following groups:
Application - BRS Viewpoint SSRS - Accounts Report Access Application - BRS Viewpoint SSRS - Administrators Report Access Application - BRS Viewpoint SSRS - Chargeability Reports Access Application - BRS Viewpoint SSRS - Compliance Reports Access Application - BRS Viewpoint SSRS - Finance Reports Access Application - BRS Viewpoint SSRS - Test Users
Any modification to these AD groups should come via a request from the BSS team to ensure that the staff member is suitable for access to the specific reports.
This guide shows how to import GPT formatted disks into Hyper-V.
tl;dr. Hyper-V does not support GPT in boot drives. You will need to remove the boot partition and repair it manually to mbr. To see if you have GPT disk, go to disk management, right click Disk 0 (Or where ever your C:\ is installed on), go to properties, Volumes tab. Look at the Partition Style part.
Requirement: - Server OS .iso - Workstation with workstation OS - AOMEI Partition Assistant (www.disk-partition.com)
1. P2V the disk to a VHDX or VHD. Use VHDX only if you workstation OS is 8 or higher
2. On a workstation (non-server OS) download and install the trial for AOMEI Partition Assistant (www.disk-partition.com)
3. In Disk management attach your .VHD(X)
4. Start AOMEI Partition Assistant and find your attached VHD(X)
5. Remove everything in front of you main partition
6. Right click your disk and select Rebuild MBR and click on OK
7. Click on Apply on the top left. Then Proceed and click YES
8. Create new VM in Hyper-V and attach the VHD(X). Do not add the NIC yet (just to be sure), also attach Server OS .iso as a disk.
9. Boot from Server OS .iso and choose Repair OS
10. Get to a CMD prompt. There is a different way to get there for each OS. If needed, google it.
11. in the CMD window type the following: - diskpart - list disk - select disk 0 - list partition - select partition 1 - active - EXIT
12. Restart VM and boot from .iso again. Get to same CMD prompt as the previous step
13. Type in the following commands: - bootrec /fixmbr - bootrec /fixboot - bootrec /rebuild
14. Say yes when prompted with the question to add installation to boot list
15. Restart server
16. boot from .iso again and go to the CMD prompt and type in the following: - cd recovery - startrep
17. If you end up with errors you're probably on server 2012 or above. In this case, you can start booting the OS normally now.
18. Windows will do some registry changes. Let it finish before turning it off again.
The PWC Compass tool is used by staff around the group to maintain FATCA classifications and classify new entities as part of their business as usual processes. Compass is a web-enabled solution which supports the classification and maintenance of those classifications, with a full audit history, reducing the risk of penalties or internal audit scrutiny and enabling organisations to have a consistent approach to classification allowing a streamlined response to FATCA / CRS status requests from third party financial institutions.
Server Setup AMSSRVCMPS001 - SQL Server 10.30.10.165 2 x Processor Cores 16GB RAM C: 100 GB D: 100 GB SQL Backup Location: \\amssrvfs001\sqlbackups$\AMSCOMPASS Instance / Server Access AD Group: WORK\Security - IT - Amsterdam PWC Compass Administrators
Web Interface connects to the SQL database using this SQL Login (Password in NPM):
AMSSRVCMPW001 - Web Server 10.30.10.166 2 x Processor Cores 16GB RAM C: 100GB Server Access AD Group: WORK\Security - IT - Amsterdam PWC Compass Administrators
Front End Application This is purely web based and can be accessed via the following URL for both Administration and Staff use: http://amssrvcmpw001/Compass
User Setup & Password Resets This task is currently with the following two staff based in the Jersey Office but may change in the future: Pravin Yeole - Pravin.Yeole@vistra.com - +44 1534 504513 Michelle Le Blond - Michelle.LeBlond@vistra.com - +44 1534 504517
This is configured to send to the compass.portal.admins@vistra.com distribution group in the following config file on AMSSRVCMPW001:
Key Vistra Contacts Jon Le Page - IT Technical Lead Pravin Yeole - Project Manager Michelle Le Blond - Project Team
Installed via Bomgar PAM by PWC Employees April 2017 Sudheer Parwana PwC | Senior Manager Mobile: +44 (0) 7734 958 870 Office: +44 (0) 121 265 5380 Email: sudheer.parwana@pwc.com
If you are currently running StorageZones version 2.0 then you will need to first install ShareFile StorageZones Controller 3.0.1, then restart the server. Once completed, then you can install the latest version (5.0 at time of writing this guide)
Before installation, take a snapshot of the server or ensure you have a backup from the same or previous day.
Installer is simple next, next, next, finish then restart.
Once installation is complete, test that you can login to your Sharefile instance on the internet then test uploading and downloading a file to confirm functionality.
1. Login the Arcserve Webinterface via https://amssrvstore001:8015
2. Go to resources -> All Nodes - Click on "Add Nodes"
3. Fill in the following credentials. Use username ->
Node = IP or name of server
Username = svcamsbackup
Password = can be found in PW manager
Description = Give name of server
4. Deploy agent to server by right click and choose - Install
5. After successful installation, the agent will be visible in Nodes Without a Plan
6. Now the plan needs to be assigned, so the server will make backups. Go to Plans -> All Plans -> Make sure you select the right plan. So for example:
-APP_AMSDS01_Data_6PM = Plan for applications stored on AMSDS01 (check on AMSSRVSTORE001) and will run on 6PM
So before assigning server, make sure you select the correct group with having enough space on the back-up server!
7. Select Plan -> Actions -> Add Nodes -> Select Nodes to Protect in Arcserve UDP -> Add the new server and press OK.
8. Make sure the back-up went successful by next day
Colt - DCS Contact & Support Info (ZRH Datacentre)
This guide can be used for the signatures within outlook and O365.
Info:
There is an GPO created that is applied to all workstation in Cyprus. Logs will be saved to \\cypsrvdc001\log$\exclaimer.
Troubleshoot:
1. Rename the PC number that is in the \\cypsrvdc002\log$\exclaimer folder + restart the machine (this will run the exlaimer application installer again)
2. Check on the following location and install the exlaimer manually (\\cypsrvdc002\support$\Exclaimer\osua.msi) . Once installed go to start -> all programs -> exlaimer and run the application. Open Outlook and check if the signature is there.
1 - Switch on device and choose the following options:
Language - English
Region: (Appropriate to location) Netherlands
Keyboard: United States International
2 - Connect to wifi
Choose VGAccess, log in with LetMeOut
3 - Install updates.
4- Setting user options
When prompted, choose 'Setup for personal Use', at sign in, choose 'offline account' - this option is in the bottom-left corner of the screen and the text is intentionally pale and difficult to see.
Set username to 'User', and set a temporary password.
Skip the facial recognition/face sign-in.
Turn off Cortana
Turn off Speech recognition
Turn off Diagnostics & Tailored experience
Turn off Ads
Leave location services ON.
5. Perform Windows updates (again)
6. Configure IT Admin account
Go to Start>Run, type 'MMC' then hit CTRL+M and choose the 'Local Users & Groups' snap-in, click add, finish, OK.
Choose 'Users', then right-click and choose 'New User'.
Fill in as follows:
NOTE:You will need to create a randomly generated strong password for the VGITAdmin account. Generate this using the password manager or other tool, then make a note of it to store later along with the serial number, laptop name & encryption key.
Now right-click on the User account created earlier and set the password to change at next login.
Within the Go to 'Groups', then 'Administrator'. Add the account VGITAdmin to the administrators group. Then disable the default Administrator account.
7. Adding Bluetooth Mouse
Right-click on Bluetooth icon in the system tray, and choose 'Add a Bluetooth Device'
In the next window, choose the 'Add bluetooth or other device'
Remove the battery tab from the mouse (if applicable) click the sync button on the mouse.
On the laptop Select 'Bluetooth' and then choose the mouse from the list of detected devices.
8 - Tidy start menu
Unpin all games, news & media pins from the start menu (right-click, unpin)
9 - Rename device
Rename the device using the following naming convention:
[Office code]LAP[Year][device number]
Example: AMSLAP1801
You can find the device number you should use by checking the keys on the USB stick, or by checking the folder in Sharefile.
10. Software Installation
From the USB stick (Offline Encryption USB), install the following:
Google Chrome
Microsoft Office 2010 - customize this install and remove Outlook.
- activate office!
Citrix Receiver
McAfee Endpoint Security 10.5 (All options should be enabled)
Change search engine IE to google (not necessary but Bing is Bing)
McAfee browser toolbar, hide via McAfee settings
Citrix receiver, do not show automatically at login, tick box (not necessary, just to keep it nice and clean)
11. Enable Encryption
Go to File Explorer, right-click on C: Drive, 'Turn on Bitlocker' , when prompted choose 'Save to File' and save it to the offline encryption USB. Create a folder within Laptop Keys with the name of the device and the person to whom it will be assigned (if applicable).
Create a notepad file, add the username & password for the VGITAdmin account, the serial number and device hostname to the file and save in the same place as above.
Example notepad text:
Password VGITAdmin: XXXXXXXXX Serial Number: 037404375053 Hostname: AMSLAP1803 Type: Microsoft Surface Pro
There will be a weekly task to upload the laptop keys from the USB into Sharefile in the shared IT area.
12. Extra info
Do not forget to label the device! (including power brick)
Dedicated laptop or tablet? Only the user should know the password.
If existing, remove office 2016/365
Make sure to keep OneDrive!
If dedicated laptop or tablet, change display name User account to specific staff member name
On tablets, change setting so to insert password immediately when closing tablet
This guide explains how to update the firmware on HP servers using HP's SSP (Service Pack for ProLiant)
1. Download the latest SSP from http://www.hpe.com/servers/spp (if this link changes in the future you should be able to find this on the Firmware page on iLo) 2. If possible, drain the Virtual Host you want to update and place the host in Paused (maintenance) mode. 3. Connect with iLo to Virtual Host and attach the newly downloaded .ISO. 4. Reboot the Virtual Host and boot using the ISO. Successfully booting the .ISO should look like this: 5. Follow all on-screen instructions. Please note that it can take a while for the inventory to be finished. Getting disconnected from iLo at certain points is normal behavior. 6. When upgrading is done, start the server again 7. Mount the .ISO 8. run launch_sum.bat from the ISO's root folder (if nothing seems to happen, run as administrator). A webpage should be opened with "Welcome to Smart Update Manager" 9. Click "Localhost Guided Update" 10. Select mode Automatic. Wait until inventory is done. 11. When this process is done (it might take a while), you get a report that tells you if you need to reboot. Please reboot the server if one of the results state: 12. Take your Virtual Host out of Paused (maintenance) mode.
This article describes the basic set up and need to know information regarding the Deutsche Bank (DB) users in Mauritius who are currently connecting to Vistra systems.
General Description
DB users connect to Vistra via the Citrix Secure Gateway (CSG) through https://nlcitrix.vistra.com , using AD credentials and a safenet token provided by us.
They have credentials in work.local to do this. They are located in this OU:
work.local/Vistra/Mauritius/Users/New
Any issues logging in to CSG should be dealt with as a normal Vistra user.
Once logged into the gateway, they connect to one of the following:
DB MAU Desktop
This is for users who need access to EZE & VPM, & the generic mailbox.
VPM Desktop
This launches a desktop which gives access only to the VPM application.
Shared Mailbox
Only 2 DB users currently have access to the generic shared mailbox:
DB.VPMEZE@vistra.com
Those users are shahed.hoolash@vistra.com & Jeetamaroy.Chuckun@db.com
NO OTHER USERS SHOULD BE ADDED.
The mailbox is configured on their desktop using the username and password for that mailbox (details in PWM) and not using their own accounts, so access should not be granted via exchange.
Infrastructure:
VPM/EZE - Live Environment
The following servers are involved in the Verona/DB environment:
AMSSRVCTX009 (This is the Citrix server that DB users connect to.)
AMSSRVEZEUAT001 (this is the EZE server copied over from Luxembourg - TBC the date this goes live in AMS)
AMSSRVVPMAS002 - VPM Application Server
AMSSRVVPMPS002 - VPM PS Server
AMSSRVVPMWEB002 - VPM Web Server
Staging Environment
There is a staging environment set up for the Verona project which is segregated from the work.local domain and the Vistra network. It has a seperate AD structure and domain controller.
Servers in the staging environment:
STGSRVDC001 - Domain Controller
STGSRVDEV001 - Development Server
STGSRVDM001 - Document Management Server (Staging version Worksite)
STGSRVFS001 - File Server
STGSRVFTP001 - FTP Server (for data transfer between DB & Vistra)
STGSRVSQL001 - SQL Server
STGSRVTS001 - Terminal Services server, provides desktop environment for DB users to connect to staging version of Viewpoint
STGWRK001 - Virtual workstation for testing.
Currently Jonathan le Page, Craig Wilmott & Jamie Carter have access to the AD in the Staging Environment. DB Users will be added soon to be able to access Viewpoint via AMSSRVTS001. They will access via Bomgar PAM initially.
Abacus is a software application thats being used by the Zurich office. This application is installed on ZRHSRVAPP01. The contact person for this application is Stefan Schwizer (info@schwizer.ch / 071 388 87 86)
Please amend below settings if Abacus is not opening correctly on a workstation.
*Please make sure Java 32-bit version is correctly installed on the workstation!
Step 1: Open the Abacus shortcut from the Start menu
Step 2: Right-click on the downloaded .jnlp file -> choose open with
Step 3: Configure javaw as default for .jnlp files (C:\program files (x86)\java\X (depends on installed version)\Bin\javaws.exe
Stap 4: Close all open applications, re-open the abacus link and it will work
This guide provides information on how to purchase O365 licenses thru SoftCat's Ecat portal
1. Login to Ecat (https://ecat.softcat.com/) using your email address and the password you've set thru the ecat welcome email
2. If you are prompted with a screen that says "Select Account" > select VGMAL. If not, this means VGMAL has already been defaulted to your eCAT account and you can ignore this step.
3. Click "My Account"
4. Click "Managed Microsoft Cloud Services"
5. Click on Up and Down Arrow Keys or adjust the quantity as desired. Put a tick on the "acceptance message" and click "update". O365 CSP will send a mail about the license adjustment and will update the O365 portal 1-2 mins later.
7. If the license type is not available, it needs to be purchased. Click on Products > Software > Licensing > O365 CSP
8. Search for the Product and Purchase accordingly. This will require a PO number, please get it from the relevant orderindex spreadsheet in \\work.local\itsupport\Global\Accounts
On report from a staff member of receiving a potentially malicious email the following steps should be taken:
- Use Mimecast Tracking to establish who the Email was sent to as often this wont be isolated to a staff member
- You can then export the list of recipients by clicking Export Data:
- Add the malicious sender to the Blocked Senders Profile group in Mimecast to prevent any further emails coming in from them:
- If the malicious / phishing email contained a URL within the body of the email then this needs to be blocked in URL Protect Managed URL's:
- Use the URL Decoder to convert the re-written Mimecast URL to the original URL:
- Enter the rewritten URL and click Submit, this will then give you the original URL. Click the Add Decoded URL to Block button:
- Click on Logs to establish if anybody had clicked the URL prior to you blocking:
- Enter the URL into search (Remove any prefixes) and click the Search Icon to show if any staff have clicked on the URL. If they have you will see if Mimecast allowed the link at the time of the click in the Action field. If there are any that have been allowed the staff member should be contacted immediately to determine if they have entered any credentials / downloaded any files. If these are all Block you can disregard as Mimecast has not allowed any staff to click on the URL:
- If the malicious URL is within a PDF (Cant be written by Mimecast URL Protect) then you will need to block it on Bluecoat. Click Content Filtering / Policy / Blocked Domains/URLs:
- Click New:
- Enter the Original URL, add a comment and click Add Domains/URLs:
- Click Activate:
- Create a report in Bluecoat to check if any staff already clicked on the link by clicking on Reports and then Web Browsing per User:
- Customise the report options for the date and website required and click Run Report:
- You will then get a list of the staff members that have clicked on the link from within the PDF who should be contacted immediately to determine if they have entered any credentials / downloaded any files:
- A communication should be sent to the staff that received the malicious / phishing email to ask them to delete the email and contact IT Support immediately if they have clicked and links / entered any credentials.
If a staff member has entered any credentials then their AD account password should be reset immediately.
If a staff member has clicked on a malicious / Phishing link then a Full AV Scan should be run on their Computer / Citrix Server
- A Zendesk Security Incident should be raised about the event including all information about it and remediation that was completed.
- The malicious / phishing email should be reported to Mimecast via Tracking:
- If it a phishing email that could be easily replicated but sent from another email address / use different URL's then a Content Examination Policy should be setup in Mimecast to detect similar emails in the future and hold them:
For setting up SLDAP for use with Mimecast / Intranet you will need an available external IP to be used for a NAT and then configure the below firewall rule to allow traffic to pass over Port 636:
Below Interact & Mimecast SLDAP IPs --> TCP 636 (SLDAP) --> Available External IP Address --NAT--> Domain Controller
Interact SLDAP IP's: 52.31.52.93 and 178.255.66.130 Mimecast SLDAP IP's: 195.130.217.0/24, 91.220.42.0/24 and 185.58.84.0/22
Create an SSL certificate with an External Certificate Authority (e.g. Globalsign). The convention used is sldap.vistra.com prefixed with the country code (e.g jersldap.vistra.com) as the Common Name for the SSL
Install the certificate into the NTDS\Personal store on the Domain Controller:
Create an external DNS record to match the Common Name of the SSL certificate which points at an available External Public IP on your firewall
Setup an OU in Active Directory called ‘Intranet Groups’
Setup a user account to be used for the SLDAP sync (e.g. svcsldap) which is just a domain user
When this is setup, you will need the following details so that the connectors can be configure on Interact / Mimecast:
Domain LDAP path (e.g. dc=test,dc=co,dc=uk).
Interact Groups LDAP path (e.g. OU=Intranet Groups,dc=test,dc=co,dc=uk)
Common Name of the SSL certificate
Domain Name
Functional level of domain
SLDAP Windows Username (with Domain User privileges).
SLDAP Windows User Distinguished Name (e.g. CN=svcsldap,OU=Users,dc=test,dc=co,dc=uk)
SLDAP Windows User Password
(To be provided over the phone or via SMS)
To add the SLDAP connection to Mimecast, Login to Admin Console and then click Administration / Services / Directory Synchronization:
Click New Directory Connector Button:
Fill out the required information and tick the check box and then click on Test Connection. If successful then Save and Exit the new connector:
To add the SLDAP connection to Interact Click on Settings / Application Settings:
Click on Manage People:
Click Manage Profile Sources:
Click Active Directory:
Enter Connector information on all tabs (Review existing work.local connector for settings): Note. in the Group Distinguished Name field, remove the Base DN from the full path
Click to Test the new connector and you should receive a tick:
This page contains information about how Caseware was set up. In case of issues, you should be able to do basic troubleshooting.
Caseware is a streamed app installed on AMSSRVCTX010. It uses AMSSRVCW002 (Smartsync Server) as a file repository. This way users can work together on files.
There are 2 security groups. Depending on where the user is located you choose the correct one (Amsterdam or Rotterdam).
On AMSSRVCW002 there is a folder located on the E:\ with 2 folders. One for Rotterdam users and one is for the Amsterdam users. The security groups below determine who should have access to which folder. By default, if a user is located in Amsterdam he should have access to only the Amsterdam files, vice versa.
Security - Rotterdam Caseware(Applies 2 GPO's located on OU=Terminal Servers,OU=Amsterdam,OU=Vistra,DC=work,DC=local)
- Vistra - Rotterdam - User - Mapped Network Drives (Caseware) (Mounts a W:\ drive for the user which is pointing to \\amssrvcw002\cwnlrtm$ (E:\Caseware\CWLIB\CWNLRTM))
- Vistra - Rotterdam - User - Caseware Registry Settings (Applies 3 registry entries which determine the settings for the Caseware tool and which Smartsync server caseware should connect to.)
Security - Amsterdam Caseware(Applies 2 GPO'slocated on OU=Workstations,OU=Amsterdam,OU=Vistra,DC=work,DC=local)
- Vistra - Amsterdam - User - Mapped Network Drives (Caseware) (Mounts a W:\ drive for the user which is pointing to \\amssrvcw002\cwnlams$ (E:\Caseware\CWLIB\CWNLAMS))
- Vistra - Amsterdam - User - Caseware Registry Settings (Applies 3 registry entries which determine the settings for the Caseware tool and which Smartsync server caseware should connect to.)
Caseware streams 3 other applications to the users. See below.
Caseware - Explorer: Users need to be able to drag and drop files in caseware. Since it's a streaming app it's not possible to drag files from your local machine to it. So you need to the explorer that is streamed from the server.
Caseware- Region Settings: Users need to be able to change the comma and dot settings for the docs. They can do this with the Region and Language settings
Further details:
- The smartsync server is setup using the SVCCW account. If something is not working please make sure this account is unlocked.
- On the AMSSRVCW002 server, there are 2 services that are important for a good running Caseware. Make sure these services are always running. If Caseware is not able to connect to smartsync you might need to restart one of these.
- Caseware information/support can be found here: https://support.caseware.nl/hc/nl
Please find below the new proposed leavers process for On-Premise work.local Exchange users.
Please ask your teams to start running with this and advise if there are any updates / additional items required. I will also add this into a Zendesk KB article which can be updated as required. When we have the IAM solution rolled out, we will be able to automate a lot of the items below.
Further processes will follow for O365 leavers and non-integrated office leavers.
Leavers Process – Email – On Premise work.local Exchange User
Move the AD account to the Leavers OU for the Jurisdiction
Disable Account / Set Expiry
Add the staff member to the group ‘Security - Mimecast - On-Premise Leaver Email Routing’. This will then allow Mimecast to Route the email for the leaver to the correct exchange organisation to receive an out of office. (Complete this on an Amsterdam Domain Controller as Mimecast SLDAP is setup to AMSSRVDC002 and then run a Mimecast Directory Sync to pickup this change. Automatic Syncs happen at 8am / 1pm / 6pm / 11pm GMT)
Delivery Routes are configured on Mimecast to Route the email to On-Prem or O365 for Out of Office Messages
Remove the Staff Member from all AD Groups (Mimecast Sync to have been completed first to pickup new routing)
Hide the Mailbox from Exchange Address List
Set Out of Office on mailbox either via powersell or Exchange Server 2010/2013 Out of Office tool on the Admin servers.
To change the internal and external OoO message using powershell:
Set-MailboxAutoReplyConfiguration –identity “username” –InternalMessage “{Name of leaver} no longer works for Vistra and you email has not been delivered. For further assistance, please resend your email to {nominated person’s email address}.” –ExternalMessage “{Name of leaver} no longer works for Vistra and you email has not been delivered. For further assistance, please resend your email to {nominated person’s email address}.”
To enable the out of office message using powershell:
Remove any Delegated / Full Mailbox Access that other Staff members may have to the mailbox
Remove any Send As Permissions
Disable Mail Features from the mailbox only leaving MAPI enabled
Should a Forward be requested (For highly exceptional circumstances) on the Leaver form then this should be set by a Mail Flow Delivery Option. Note that the email should also be delivered to the mailbox to trigger the Out of Office response:
Update the Description of the AD Account to the Leave Date:
Should the London accounts team submit any cases in regards to Sage 50 Accounts taking a long time to open, or is running really slow, please use the following to resolve:
Note: You will need to ensure all users are out of Sage before you continue, otherwise you will run the risk of corrupting Sage data, I would suggest to call the user who has reported the issue and ask them to confirm that everyone is out of Sage before you continue to be safe.
Log in to LDNSRVFS001, and open up services. You will need to find the following 2 services:
Stop the 'Control' service first, and then stop the 'Service' service second, this always fails to stop, so you will need to use the following command in CMD (elevated): taskkill /f /pid:<enter PID number here>.
You can find the PID number of any service that is running in Task Manager:
Once both services are stopped PLEASE ENSURE you start the 'Service' service first, and then the 'Control' service second. Once both are up and running again, you can instruct the accounts team to use Sage 50 Accounts again.
If exporting data from Viewpoint in to Excel fails, I have provided a work around.
When exporting data, ensure that the settings match the screenshot below:
This will copy the exported data to the clipboard. Now open up a new Excel Workbook, right click on the first empty field (A1) and click 'Paste Special...':
Then on the following window that appears select the source as 'Text', and then Click 'OK':
This will paste the exported data in to its correct format.
This sheet is created to be used for Quarterly task T39.
1. Open Internet Explorer and browse to the Nimble webinterface (check PM for login credentials)
2. Go to administration -> software:
3.This is the overview of the currently installed Firmware version. Click on download to get the latest firmware version. Once downloaded, create a Request for Change to plan the update. Click on update once approved and monitor the process.
*Please note that using the download button you will get the InProduction firmware versions. If you do not get the latest version, please contact Nimble support -> Please see step 4
4.They can provide a direct link to download the firmware. Once you've downloaded the firmware, you can manually upload by using the upload button. Please see below screenshots to manually upload the firmware. Once uploaded you can click on update to perform the update.
This list is progressive as deployment of O365 products continues:
work.local/Vistra/_IT Users work.local/Vistra/Amsterdam/3rd Party - Mckinsey work.local/Vistra/Amsterdam/Distribution Groups - O365 work.local/Vistra/Amsterdam/Users work.local/Vistra/Amsterdam/Users/BSS work.local/Vistra/Bristol/Users - O365 work.local/Vistra/Bristol/Distribution Groups- O365 work.local/Vistra/CEE/Users work.local/Vistra/CEE/Users/VFS work.local/Vistra/Curacao/Contacts work.local/Vistra/Curacao/Distribution Groups work.local/Vistra/Curacao/Leavers - O365 work.local/Vistra/Curacao/Shared Mailboxes work.local/Vistra/Curacao/Users work.local/Vistra/Cyprus/Distribution Groups - O365 work.local/Vistra/Cyprus/Users work.local/Vistra/Cyprus/Users/Jordans work.local/Vistra/Cyprus/Users/OF work.local/Vistra/Frankfurt/Service Accounts work.local/Vistra/Hong Kong/Users work.local/Vistra/Hong Kong/Users/OF work.local/Vistra/India/Contacts work.local/Vistra/India/Distribution Groups - UJWAL work.local/Vistra/India/Distribution Groups work.local/Vistra/India/Leavers work.local/Vistra/India/Leavers - UJWAL work.local/Vistra/India/Shared Mailboxes work.local/Vistra/India/Users work.local/Vistra/India/Users - UJWAL work.local/Vistra/Jersey Group Management/Users work.local/Vistra/London/Users work.local/Vistra/London/Users/OF work.local/Vistra/London/Users/USA2Europe work.local/Vistra/Luxembourg/Users/_OF work.local/Vistra/Luxembourg/Users/_VL work.local/Vistra/Mauritius/Distribution Groups work.local/Vistra/Mauritius/Leavers - O365 work.local/Vistra/Mauritius/Security Groups/Mailbox Access work.local/Vistra/Mauritius/Shared Mailboxes work.local/Vistra/Mauritius/Users work.local/Vistra/Seychelles/Distribution Groups work.local/Vistra/Seychelles/Shared Mailboxes work.local/Vistra/Seychelles/Users work.local/Vistra/Sydney/Contacts work.local/Vistra/Sydney/Distribution Groups work.local/Vistra/Sydney/Leavers work.local/Service Accounts/_O365 Vistra Tenant work.local/OIL/BVI/Distribution Groups work.local/OIL/BVI/Users work.local/OIL/Hong Kong/Users work.local/OIL/Hong Kong/Users/BSS work.local/OIL/Hong Kong/Users/IT work.local/OIL/Shanghai/Users/IT work.local/OIL/Singapore/Users/IT work.local/Orangefield/Soest/Users O365
************************************************************************* To Add an additional OU please carry out the following:
Login to AMSSRVADFS001 Open Azure Synchronization Service Manager Click on the Connectors, Right Click on the work.local connector and select Properties:
Select Configure Directory Partitions and click on Containers:
Enter the password for svcazure and click OK:
Select the OU that you would like to sync and Click OK, Click OK:
Open Active Directory Module for Windows PowerShell and run the following command to set off a sync: Start-ADSyncSyncCycle -PolicyType Delta
You can then either check that this has completed via the Syncronization Service Manager or from the O365 Dashboard:
To temporarily disable DLP on a specific machine to allow USB or upload access for a non-specific
Log into https://amssrvepo001:8443 via your browser.
(For Swiss offices use https://zrhsrvepo01:8443, for Luxembourg use https://luxsrvepo01:8443)
Go to Menu>Help Desk
On the next page, complete the User's name, email address, workstation number and the reason for the bypass.
Then, On the target workstation/server, right-click on the McAfee Agent system tray icon, choose 'Manage Features' then 'DLP Endpoint Console'
**NOTE**
If this is not visible (usually because you are connected to the machine via RDP) then navigate to :
C:\Program Files\McAfee\Agent and open a command window from that location.
Then type: cmdagent.exe /s and hit enter. This will launch the McAfee agent status monitor and make the agent visible in the system tray.
You can find the name of the policy & the Revision ID from the Endpoint Configuration part on the 'about' tab.
Then, click on 'Tasks' and copy the identification code into the Help Desk window.
**Important**
Before you click 'Generate Code' make sure to set the bypass duration to the appropriate time. This defines how long DLP will remain disabled for, and needs to be set to the least required time.
Once you generate the code, copy it into the 'Release Code' field in the Enpoint Console on the user's machine, then click 'Start Bypass'
DLP will remain in bypass mode for the amount of time specified in the Help Desk tool.
If you have any questions about this, contact Amsterdam IT on +31 88 560 9900
When setting up a new Macbook for a user, follow the below steps. It is important these steps are completed BEFORE the user is given the device & adds an iCloud/iTunes account to it:
Initial Config
During initial config of the device, set the language to English and set appropriate time zone when prompted.
When prompted to sign-in to an Apple account, choose the option 'Don't sign in'
Create the user with the windows username of the person to whom the device will be given, and then set the password to the standard Vistra login of 'LetMeIn' - the user will change this when they connect their Apple account to the device.
Once initial setup is completed, the following MUST be done:
Security
Go to https://vistra.sharefile.com and download the McAfee Endpoint Security for Mac package which is located in: Shared Folders>IT Support>Laptop Setup (login details in the Password Manager)
Install the package, you may have to enter the login password for the Mac to allow the Safari addin to be installed.
You will then need to activate FileVault (file encryption for Mac) to do this, click the apple icon in the top-left of the screen and go to System Preferences.
Choose "Security & Privacy" and then "FileVault"
Click on the lock in bottom-left of the window, and then enter the MacBook password to unlock.
Click the 'Turn on FileVault' button and then DO NOT CHOOSE TO STORE THE ENCRYPTION KEY WITH APPLE.
Make a note of the encryption key and upload it to Sharefile in: Shared Folders>IT Support>Laptop Setup>McAfee Offline Encryption>Encryption Keys
The encryption will continue in the background after a restart, while you work.
Citrix Install
Go to receiver.citrix.com then download & install the Citrix Receiver for Mac
Then create bookmarks for the following 2 pages in Safari:
https://nlcitrix.vistra.com (or other Citrix link relevant to the user's location)
You need to download and install the registered version of PHPRunner: 32bit: http://www.asprunner.com/files/webreports/phprunner98-setup.exe 64bit: http://www.asprunner.com/files/webreports/phprunner98-setup64.exe
To download the software use the following: Username: webreports Password: web!12~
------------------------------------------------ I also recommend you to check the Templates Pack that includes Shopping Cart, Calendar and Members templates at http://www.xlinesoft.com/templates. Using these templates you can build a fully-functional, completely customizable eCommerce and intranet websites in matter of minutes.
If you lose your key file and need to re-install this software, just drop a note to support@xlinesoft.com and I'll send it to you again.
If you need any help using PHPRunner feel free to ask your questions in PHPRunner forums at http://www.asprunner.com/forums/index. Our experts are always ready to help.
Created: 18/09/17 Team Working on Project: Jon Le Page / Ambrus Porcsin / Matthias Thömmes
Due to email routing constraints with the managed Datev data centre solution that Optegra are currently using, we are not able to route outbound emails via Mimecast like we would normally with other integrations. Due to this the email flow will be the following:
The following OU’s created to host mail users for email routing and address book for work.local staff:
These AD following groups are used for the email Routing. Any new starters for these offices should have a Mail User object created in the correct OU above and added to their offices group below: Email - All Vistra Cologne Contacts CN=Email - All Vistra Cologne Contacts,OU=Distribution Groups,OU=Cologne,OU=Vistra,DC=work,DC=local Email - All Vistra Munich Contacts CN=Email - All Vistra Munich Contacts,OU=Distribution Groups,OU=Munich,OU=Vistra,DC=work,DC=local Email - All Vistra Hamburg Contacts CN=Email - All Vistra Hamburg Contacts,OU=Distribution Groups,OU=Hamburg,OU=Vistra,DC=work,DC=local Email - All Vistra Leipzig Contacts CN=Email - All Vistra Leipzig Contacts,OU=Distribution Groups,OU=Leipzig,OU=Vistra,DC=work,DC=local
Delivery routes created on legacy Mail Marshal Servers:
Exception added to the Spoofing Rule on Legacy Mail Marshal Servers:
Profile Group created on Mimecast with Optegra.de Addresses to be used in Forwarding Addresses:
Forwarding Addresses created on legacy Mimecast for the Vistra.com Addresses to forward to Optegra.de:
Content Examination Exception added to bypass the Anti Spoofing Rule when coming from the Datev Mailgateway IP addresses:
Greylisting Exception added for the Optegra Email Groups as they are not routing Outbound via Mimecast so wont have built up their Auto-Allow lists:
Impersonation Protect Exception added for Optegra Email Groups when coming from the Datev Mailgateway IP addresses:
Blocked Senders Exception added for Optegra.de due to email forwards that have been setup:
Datev Mailgateways added into the Vistra.com SPF Record due to them not routing outbound via Mimecast:
The Business Systems team may receive updated License files from Viewpoint if they purchase additional features or license counts.
When Viewpoint send the license file, they often call this 'vistra viewpoint.lic'. This needs to be renamed to just 'viewpoint.lic' ready for putting in place.
This license file should first be put in place for the Test Viewpoint for the BSS team to check and approve for it to be put live.
Connect to the relevant Test Viewpoint program files, for example: \\jersrvsql01\vpapps$\JERVIEWPOINTTEST\Program
Rename the existing viewpoint.lic file to viewpointReplaced%Date%.lic
Copy the new 'viewpoint.lic' license file into the Viewpoint Program Directory
Run Viewpoint Database Management from the Viewpoint Program Directory:
Login using the viewpoint username and password:
Credentials can be found here in the password database:
Click on Change License Option from the left navigation bar to view the new license information:
Click on the License Configuration tab to see which features will be added / removed with the new license file and click Apply Changes:
Click OK:
Click OK:
Close Viewpoint Database Management and login to Viewpoint. Click on the Viewpoint tab and select About from the list:
Check that the license has applied and click OK:
Ask the BSS team to test the new license in UAT and approve the change for Live and then repeat the above process for Live.
If there are any issues with the new license file then revert to the previous license file.
In Zurich there are 2 kinds of printers. Those coming from the Print server and the others directly attached to a PC (label printers).
All settings for all printers are the same:
1 sided print
Black and white
These settings were asked to be in place by Bruno Sidler to all printers.
Print server: ZRHSRVDC001
IPs of all Printers in the Print Server:
There are 5 Canon Printers using the following Driver:
Canon Generic Plus UFR II
There are 6 HP Printers using the following Driver:
HP Universal Printing PCL 6
There is 3 Brother Printer using the following Driver:
Brother HL-3170CDW series
All Drivers got updated since Microsoft nowadays is forcing all printer vendors to create Signed Drivers and package-aware.
Without these type of drivers you probably get this:
For Vendors that do not update their drivers, there is a way through GPO to disable that popup.
In addition to update drivers I have performed the following tasks to the print server:
All other older drivers were removed.
All other TCP ports were removed.
Since there was no GPO for Printers and all users had it manually connected I had to create a GPO for it.
GPO:
Vistra - Zurich - User Printers
Computer Settings (These settings will make sure about non-aware package drivers to be silently installed.
Computer settings:
Names of Print server and ZRHWRKXXX that have brother printer's shared on them have been added to following strings in the policy.
Computer Configuration > Administrative templates > Printers > Package Point and print > Approved servers
Computer Configuration-> Administrative templates > Printers > Point and Print Restrictions
User Settings:
All printers are created and there are groups defined per printer to allow a user / group of users to have it assigned to its own PC. Those groups are under the OU named Printers.
For example:
If a user needs the printer ZRHPRN001:
You need to add that user to the group:
Security - Zurich Printers ZRHPRN001
The user then needs to log off and log back in to get the membership of that group and printer will be added automatically.
Regarding the Label printers, there are two computers at this moment with those printers shared on the network.
ZRHWRK043 and ZRHWRK045
If someone needs access to those printers, like above, you add them to the relevant security group:
Go to the ‘My Account’ tab and download the Bomgar representative console:
During installation, install the Bomgar display driver when given the option.
Once installed, you can then log into the tool using the Vistra IT admin account.
Connecting to Workstations
There a several available methods for connecting to a workstation using Bomgar, 3 of these are explained below.
Method 1 – Jump
The main screen of the console is split into 2 main parts:- the top half of the screens contains the connection queues and displays any currently active sessions.
The bottom half of the screen displays the jump clients installed on the endpoints. Click ‘refresh’to update the display with the currently active clients.
To use the ‘Jump’method simply double-click on the desired workstation in the list. The user will receive a pop-up on their screen informing them that you are trying to connect to their workstation. They will need to click ‘allow’ before you will be able to see their screen.
Method 2 – Jump To
At the top of the screen in the console, you will see the ‘Jump To’ button.
Click this, then change the ‘Jumpoint’to the location closest to the office you want to connec to. Then, enter the hostname of the workstation (ie. UKBRSWRK013) and click ‘Jump’, you will then need to enter credentials with admin access to the specified workstation. Again, the end user will need to allow the connection.
Method 3 – Remote support link.
You can email the end user a remote support link using the console. To do this, click the ‘Start’button in the top-left corner of the representaive console.
You should see this screen:
Click on the ‘email’ button to send a link directly to the user.
You’ll notice you can also access the other Jump methods from this start button. If for any reason you are not able to start the connection with the workstation, the user’s can go to https://nlremotesupport.vistra.com to initiate the connection from their side.
Once connected, you will have full access to the workstation and Bomgar will keep the connection alive if you need to reboot the machine you’re connected to.
- Press F12 intill you face the "One Time Boot Menu"
- Click on "Onboard NIC"
The PC will then connect to JERSRVWDS01 and pull down the boot image file
Setup will begin
Change Locale from "US" to "United Kingdom"
Enter your admin credentials (Make sure you enter work\ before your username)
Pick the image you would like to use on the PC: JERWRK - Jersey Image VGMLWRK - VGML Image Blank PC - Clean Image
The PC will then start to image and this will take around 10/15 minutes.
You will then be logged in with the Europe-IT account automatically and the batch file with all the installations will run (This will take a further 5 minutes to run and install)
Once the batch file has been ran change the PC object name from JERWRK009 to the PC name which is labelled on the sticker on the top of the PC.
Restart the PC and the imaging process is complete, shut down the machine and the PC is ready to go.
Datev lately has been updated to windows 2016 server by the vendor. It causes some issue while setting the account for outlook. In the attachments you can find an instruction and required files
Connection to Datev.
create a shortcut to the server of DATEV of the staff's desktop:
http://dcsgvistra.geiger-bdt.de/
withing the Citrix session for Datev, please enter the O365 details for Outlook 2013
user is invoicing.fra with invoicing.fra@vistra.com as email address. The password can be found in the password manager
This is only to be used for emergency IT instances. If any issues can wait until normal working hours then please send an email to itsupport@vistra.com.
The on call IT emergency telephone number: +31 88 560 9911
This number is also given in the recorded message when calling the Amsterdam IT team out of working hours.
If you want to setup an Exchange account on a MacBook please disable the Auto-discover. Here is how to do this:
Disable Exchange Autodiscover on Outlook
While Autodiscover with Microsoft Exchange can be great, sometimes a company can have a rather difficult DNS setup. Maybe it's their use of internal and external DNS servers with different IP addresses and hostnames for the mail server if you're on the network (in the office) versus when you're not. This can wreak havoc on Outlook's autodiscover feature. To disable Autodiscover, close Outlook completely, launch AppleScript, and type the follwing command (be sure to change AccountName to the profile name in Outlook.
After you hit the play button to run it, you can close AppleScript and reopen Outlook. Autodiscover will now be disabled so whatever server settings you put in, will stay.
Please be aware that I have now setup the Cyprus Viewpoint Nirvana environments ready for the BSS team to start working with.
Note, this Nirvana database will note be used staff in Cyprus at this time and Unity remains the Live database for staff to carry out their day to day work.
Access to open this Viewpoint Nirvana environment is controlled with the following security group: Application - Cyprus Viewpoint Users
When a staff member is part of the above group they will then be presented with the two Citrix Published apps below to access the environments. For Go-Live, staff in the Cyprus office will access this from their Start Menu and launch locally rather than via Citrix:
To identify whether a staff member is using the Live or Test environment look at the menu bars. If it is yellow as bellow the staff member is in TEST, which can also be identified by the bottom status bar which displays the environment name and also SQL Instance / Database:
Access to the site requires for the staff member to be part of the Viewpoint Security group Application - Cyprus Viewpoint Users and then access to sub folders is controlled by the following groups:
Application - CYP Viewpoint SSRS - Accounts Report Access Application - CYP Viewpoint SSRS - Administrators Report Access Application - CYP Viewpoint SSRS - Chargeability Reports Access Application - CYP Viewpoint SSRS - Compliance Reports Access Application - CYP Viewpoint SSRS - Finance Reports Access Application - CYP Viewpoint SSRS - Test Users
Any modification to these AD groups should come via a request from the BSS team to ensure that the staff member is suitable for access to the specific reports.
Please be aware that I have now setup the Jersey Viewpoint Nirvana environments ready for the BSS team to start working with.
Note, this Nirvana database will note be used staff in Jersey at this time and the existing Viewpoint (JERSRVSQL01\JERVIEWPOINT) remains the Live database for staff to carry out their day to day work.
Access to open this Viewpoint Nirvana environment is controlled with the following security group: Application - Jersey Viewpoint Nirvana Users
When a staff member is part of the above group they will then be presented with the two Citrix Published apps below to access the environments. For Go-Live, staff in the Jersey office will access this from their Start Menu and launch locally rather than via Citrix:
*************************************************************************************** The Viewpoint Launch Path Directories for both the Live and Test Nirvana are in the following location:
To identify whether a staff member is using the Live or Test environment look at the menu bars. If it is yellow as bellow the staff member is in TEST, which can also be identified by the bottom status bar which displays the environment name and also SQL Instance / Database. Note that the Nirvana Live is currently green due to Jersey already using Viewpoint, this will be changed to white when this new environment goes live:
Access to the site requires for the staff member to be part of the Viewpoint Security group Application - Jersey Viewpoint Nirvana Users and then access to sub folders is controlled by the following groups:
Application - JER Nirvana SSRS - Accounts Report Access Application - JER Nirvana SSRS - Administrators Report Access Application - JER Nirvana SSRS - Chargeability Reports Access Application - JER Nirvana SSRS - Compliance Reports Access Application - JER Nirvana SSRS - Finance Reports Access Application - JER Nirvana SSRS - Test Users
Any modification to these AD groups should come via a request from the BSS team to ensure that the staff member is suitable for access to the specific reports.
AIS Business Application Support Procedures and Contacts
The P1 out of hours support is an Engineer to Resolution service for MobileIron Critical issues only.
If you experience a critical issue outside of standard business hours (Monday-Friday 9:00-17:30 GMT) call the P1OOH number to speak to an engineer on call.
This on call service is provided 24x7x365.
Standard Business Hours
During the hours of 09:00 to 17:30 Monday to Friday GMT you must log calls via the normal method.
Phone: +44 (0) 2036 515 392
Email: Support@cwsi.ie
Outside Standard Business Hours
Outside of standard business hours you must phone the on call number which is provided below.
As of 1st of August 2017, the Quorum database from Jordans has been migrated to the Vistra virtual hosts in Cyprus. The Cyprus office already owns a Quorum instance. Now they have 2 different Quorum databases
Install application
**Please note that you do not have to install the client for the Jordans database if the client for the Vistra database has already been installed. Please refer to below if you want to connect to the Jordans database with an existing client
1. Open a web browser on the users pc and navigate to http://jordanscx:3030
2. install the client by clicking Install
3. Once the application has been installed make sure you connect to the right database by filling in the right server name. Leave everything else default
Creating users
Please make sure you have enough licenses before creating users.
1. Login to with the Quorum client using the administrator account. Credentials can be found in password manager
2. Click Maintenance -> Employees. In here you can create as many users as you want.
3. Assign the license by clicking Security Settings -> Green PLUS
4. Select the user that needs to login and fill in required fields like below. Please note that you do not have to fill in level 2 password. Please make sure you tick Enable Corporate and Enable Banking.
Now the user is able to login.
Please note that if you get the following error when pressing save you do not have enough licenses. Either new licenses need to be bought or you have to discuss with the MD if you can remove existing users from the Security (License) page.
8.For $DB, enter VPM3 or VPM6 as appropriate to the environment with the backlog
9.Update the $fnCode variable with the code noted in step 5
10.Execute. This script will place all records with that fund code on hold and subsequently enter a loop which will release the holds one by one provided there are no more than 3 non-held records in the queue at a time. Items for other funds will then be able to jump to the head of the line.
b.VPM Rebuild Queue Backlog – Process Server Not Running
i.Resolution (end-user accessible)
1.Launch VPM15 (same as above)
2.Click the System ribbon, Status button in the Process Server section on the left
3.Click the Start button in the right corner of the Status tab
ii.Resolution (admins only, if steps above fail to restart the Rebuild Queue)
1.Launch Admin VMware
a.Enter ps-it-admin-01.cac.nnw for IP Address/Name
b.Check “Use Windows session credentials”
2.Open a console window to PS-RB-VPM-15
a.Username – cacnnw\sungard
b.Password – Please call +1 212-500-6170
3.Open services.msc (pinned to taskbar)
4.Restart service Sungard VPM PS
c.Bloomberg Console – connection limit reached
i.Cause – stale vSphere console session
ii.Resolution
1.Launch Admin VMware
2.Choose Administration->Sessions
3.Log off any idle end-user sessions
4.Please do not log off sessions for any of the following accounts:
This article is created to explain how to change the tapes within the Cyprus office to ensure smooth back-ups. The daily checks have to reflect with the below (On Friday tape should be inserted and on Monday a new tape should in inserted).
To be done on Friday
To be done on Monday
Every day there will be a tape back-up running. Every Friday Lilia from the Cyprus office has to put in a new tape. This tape has to be labeled as below:
Tape ID : 1 + week-number + year
This back-up will run until Monday and contains 2 tapes. So on Monday the office has to be contacted to make sure the second tape has been inserted. Lilia has to label this tape as:
Tape ID : 2 + week-number + year
Please note that by the end of the month the label from the tape has to be different:
Tape ID: 1 + month + year
Example: Tape 1 July 2017, the tape on Monday should be labeld as Tape 2 July 2017.
Please see below tabel. On Tuesday, Wednesday, Thursday Lilia has to fill-in the tape that is labeled with that day (same as in Amsterdam).
Go to Menu > Policy Catalog, then click on 'Vistra - Client Configuration'
Choose 'Web Protection' on the next page, then scroll to the bottom of the right-hand pane.
Fill in the protocol with http or https, then the url (this should be the top-level domain only - for example, vistra.com, not vistra.com/remote)
Click 'Add', then 'Apply Policy' , when the agent on the user's workstation updates policies (this happens once per hour) then they should be able to upload to the site.
AMS - Create Permanent DLP Bypass for Removable Storage
This guide details how to permanently bypass a specific USB/Removable storage device for users in the AMS hub / Connected to the AMS EPO.
**NOTE - Users MUST have approval for this from the appropriate person in their office**
Step 1 - Identifying the device
Connect remotely to the user's workstation and then go to this location from their desktop:
\\AMSSRVDC005\NETLOGON\Global\DLP
**Note that you need to replace the server name with whichever domain controller the user authenticates with
**Ask the user to unplug the USB device, then plug it back in.**
Run 'USBDeview.exe'
This tool will show you a history of all devices connected to the workstation, click on the column 'Last Plug/Unplug' to sort the column by most recently connected device.
Right-click on the device, click 'Properties', this will show you the information for that device. You can copy and paste from this.
Copy the Serial number, the Vendor ID & the Product ID
Make sure that 'Product' is set to Data Loss Prevention 10'
Click on 'Vistra - DLP Policy'
Then click, 'Vistra - Device Control'
Click on 'Block Removable Media'
On the next page, click 'Exceptions' and then the 3 dots next to the list of devices:
This brings you to the list of 'allowed' devices, click on 'New Item', then you'll see this screen:
From the categories on the left side, click 'USB (VID/PID Codes) & USB Device Serial Number.
Change the name to something which describes the device best, for example: 'AMS - CommerzBank USB - Roel'
Enter the Vendor ID, Product ID & Serial number you copied earlier from the USBDeview.exe tool, then click 'save' in the bottom-right.
This brings you back to the list of allowed devices, make sure your new item is checked, and then click 'OK'.
Click Save again in the bottom right corner.
Now, go back to Menu>Policy Catalog> Vistra - DLP Policy. You should then be back on this screen:
As in the screenshot above, you should see that there are pending changes. Click 'Apply Policy'
This screen appears to confirm which policy is being updated, click 'Apply Policy' again:
You should then see this screen:
The device you added will now be allowed but monitored by McAfee DLP, as soon as the McAfee Agent on the user's workstation updates policies (this happens once per hour) then the user can use the device.
For Information, the following share was created for colleagues in India to share data while logged into the NL Viewpoint - India citrix environment
Share name is 'VistraIndia$' and it maps to: \\AMSSRVFS001\VistraIndia$
This has been added to the start menu for the NL Viewpoint Desktop - India as 'Vistra India AMS Share'
There is a security group giving read/write access to the share, anyone requiring access needs to be in the following security group: 'Security - Amsterdam - Vistra India Share'
When creating new Employee’s in Vistra Sharefile please ensure you disable the below permissions for all staff members, below permissions with the arrow next to them need to be disabled If these aren’t changed on employee creation by default they are given the below in yellow permissions by default.
Unfortunately we are unable change the default permissions at this point so this will have to be completed manually when creating the user.
Please also change the storage zone from Public Cloud to Private Cloud (As stated below). This ensures there that there upload data is stored in our on prem storage zone rather than Sharefiles cloud storage.
To add Representatives to Bomgar Remote Support, do the following:
For IT Support users, add to this AD group:
Application - IT - Vistra Group - Bomgar ITreps
For Business Systems Support users, add to this AD group:
Application - IT - Vistra Group - Bomgar BSreps
Once added, allow time for replication (usually only a few minutes), they can then go to https://nlremotesupport.vistra.com/login to download and install the Bomgar Representative Console.
See this KB for a guide on using the support console.
Please be aware that whilst investigating an issue with the Amsterdam Indexer yesterday with an engineer from Phoenix I found that the issue was due to the version of Java being updated.
When installing updates to the Worksite indexers, please leave the Java at version 6 as it seems from version 7 Java no longer has a verify.dll that the Worksite Connector service is looking for and fails without:
C:\Program Files (x86)\Java\jre6\bin\verify.dll
Please also note that there is a specific stop / start order for the Indexer services and if these are not followed can corrupt the search index for Worksite and they will require a full re-index.
Service Stop Order:
Worksite SyncTool
Worksite Connector
Worksite Ingestion
Worksite Active DIH
Worksite IDOL
Worksite Active Content Engine
Worksite Content Engine (All) (3-2-1)
Reboot the server
Service Start Order:
Worksite Content Engine (All) (1-2-3)
Worksite Active Content Engine
Worksite IDOL
Worksite Active DIH
Worksite Ingestion
Worksite Connector
Worksite SyncTool
Please notify the BSS team if you are updating the Indexers so that they are aware if staff start reporting issues to them and also carry out worksite searches post installing updates.
Please be aware that I have now setup the Bristol (Jordans) Viewpoint Nirvana environment ready for the office to start testing with prior to integration.
Access to open this Viewpoint Nirvana environment is controlled with the following security group and is currently only available via London’s Citrix Farm. The relevant Bristol office staff will be added after the BSS team have carried out their initial checks: Application - Bristol Viewpoint Users
When a staff member is part of the above group they will then be presented with the two Citrix Published apps below to access the environments. For Go-Live, staff in the Bristol office will access this from their Start Menu and launch locally rather than via Citrix:
******************************************************************************************************************************************************************************* The Viewpoint Launch Path Directories for both the Live and Test Nirvana are in the following location
******************************************************************************************************************************************************************************* To identify whether a staff member is using the Live or Test environment look at the menu bars. If it is yellow as bellow the staff member is in TEST, which can also be identified by the bottom status bar which displays the environment name and also SQL Instance / Database:
These are the SQL databases that are used for the Live and Test instances of Bristol Nirvana Viewpoint:
******************************************************************************************************************************************************************************** The Viewpoint Reports SSRS Site can be accessed from the following link: http://ldnsrvsql001/Reports_BRSVIEWPOINTSSRS
Access to the site requires for the staff member to be part of the Viewpoint Security group Application - Bristol Viewpoint Users and then access to sub folders is controlled by the following groups:
Application - BRS Viewpoint SSRS - Accounts Report Access Application - BRS Viewpoint SSRS - Administrators Report Access Application - BRS Viewpoint SSRS - Chargeability Reports Access Application - BRS Viewpoint SSRS - Compliance Reports Access Application - BRS Viewpoint SSRS - Finance Reports Access Application - BRS Viewpoint SSRS - Test Users
Any modification to these AD groups should come via a request from the BSS team to ensure that the staff member is suitable for access to the specific reports.
This guide shows how to import GPT formatted disks into Hyper-V.
tl;dr. Hyper-V does not support GPT in boot drives. You will need to remove the boot partition and repair it manually to mbr. To see if you have GPT disk, go to disk management, right click Disk 0 (Or where ever your C:\ is installed on), go to properties, Volumes tab. Look at the Partition Style part.
Requirement: - Server OS .iso - Workstation with workstation OS - AOMEI Partition Assistant (www.disk-partition.com)
1. P2V the disk to a VHDX or VHD. Use VHDX only if you workstation OS is 8 or higher
2. On a workstation (non-server OS) download and install the trial for AOMEI Partition Assistant (www.disk-partition.com)
3. In Disk management attach your .VHD(X)
4. Start AOMEI Partition Assistant and find your attached VHD(X)
5. Remove everything in front of you main partition
6. Right click your disk and select Rebuild MBR and click on OK
7. Click on Apply on the top left. Then Proceed and click YES
8. Create new VM in Hyper-V and attach the VHD(X). Do not add the NIC yet (just to be sure), also attach Server OS .iso as a disk.
9. Boot from Server OS .iso and choose Repair OS
10. Get to a CMD prompt. There is a different way to get there for each OS. If needed, google it.
11. in the CMD window type the following: - diskpart - list disk - select disk 0 - list partition - select partition 1 - active - EXIT
12. Restart VM and boot from .iso again. Get to same CMD prompt as the previous step
13. Type in the following commands: - bootrec /fixmbr - bootrec /fixboot - bootrec /rebuild
14. Say yes when prompted with the question to add installation to boot list
15. Restart server
16. boot from .iso again and go to the CMD prompt and type in the following: - cd recovery - startrep
17. If you end up with errors you're probably on server 2012 or above. In this case, you can start booting the OS normally now.
18. Windows will do some registry changes. Let it finish before turning it off again.
The PWC Compass tool is used by staff around the group to maintain FATCA classifications and classify new entities as part of their business as usual processes. Compass is a web-enabled solution which supports the classification and maintenance of those classifications, with a full audit history, reducing the risk of penalties or internal audit scrutiny and enabling organisations to have a consistent approach to classification allowing a streamlined response to FATCA / CRS status requests from third party financial institutions.
Server Setup AMSSRVCMPS001 - SQL Server 10.30.10.165 2 x Processor Cores 16GB RAM C: 100 GB D: 100 GB SQL Backup Location: \\amssrvfs001\sqlbackups$\AMSCOMPASS Instance / Server Access AD Group: WORK\Security - IT - Amsterdam PWC Compass Administrators
Web Interface connects to the SQL database using this SQL Login (Password in NPM):
AMSSRVCMPW001 - Web Server 10.30.10.166 2 x Processor Cores 16GB RAM C: 100GB Server Access AD Group: WORK\Security - IT - Amsterdam PWC Compass Administrators
Front End Application This is purely web based and can be accessed via the following URL for both Administration and Staff use: http://amssrvcmpw001/Compass
User Setup & Password Resets This task is currently with the following two staff based in the Jersey Office but may change in the future: Pravin Yeole - Pravin.Yeole@vistra.com - +44 1534 504513 Michelle Le Blond - Michelle.LeBlond@vistra.com - +44 1534 504517
This is configured to send to the compass.portal.admins@vistra.com distribution group in the following config file on AMSSRVCMPW001:
Key Vistra Contacts Jon Le Page - IT Technical Lead Pravin Yeole - Project Manager Michelle Le Blond - Project Team
Installed via Bomgar PAM by PWC Employees April 2017 Sudheer Parwana PwC | Senior Manager Mobile: +44 (0) 7734 958 870 Office: +44 (0) 121 265 5380 Email: sudheer.parwana@pwc.com
If you are currently running StorageZones version 2.0 then you will need to first install ShareFile StorageZones Controller 3.0.1, then restart the server. Once completed, then you can install the latest version (5.0 at time of writing this guide)
Before installation, take a snapshot of the server or ensure you have a backup from the same or previous day.
Installer is simple next, next, next, finish then restart.
Once installation is complete, test that you can login to your Sharefile instance on the internet then test uploading and downloading a file to confirm functionality.
1. Login the Arcserve Webinterface via https://amssrvstore001:8015
2. Go to resources -> All Nodes - Click on "Add Nodes"
3. Fill in the following credentials. Use username ->
Node = IP or name of server
Username = svcamsbackup
Password = can be found in PW manager
Description = Give name of server
4. Deploy agent to server by right click and choose - Install
5. After successful installation, the agent will be visible in Nodes Without a Plan
6. Now the plan needs to be assigned, so the server will make backups. Go to Plans -> All Plans -> Make sure you select the right plan. So for example:
-APP_AMSDS01_Data_6PM = Plan for applications stored on AMSDS01 (check on AMSSRVSTORE001) and will run on 6PM
So before assigning server, make sure you select the correct group with having enough space on the back-up server!
7. Select Plan -> Actions -> Add Nodes -> Select Nodes to Protect in Arcserve UDP -> Add the new server and press OK.
8. Make sure the back-up went successful by next day
This Document provides information on Vistra's ADFS Infrastructure and Solutions that relies on it.
Authentication Flow:
Client PC/browser tries to access the resource (Intranet, Skillsoft, Policyhub, Mimecast Mailbox)
Resource server is not able to authenticate users as user is unknown, queries respective federation service
Work.local AD is configured as a claims provider on the Federated Solution. Service Provider SAML/IDP Server queries work.local federation server for the user identity
4and5. Federation sever validates the user and issues a token to validate identity to the federation server in policyhub.
Token is accepted and decrypted
User is allowed to access the resource server
Resource server contents are returned to user’s browser.
All work.local users will sync to Mimecast via SLDAP connections automatically 24hours after the account creation
4. SkillSoft
Normal accounts - add user to "SkillportUsers" security group
Admin account (HRBP) - add user to "SkillportLeadership" security group
Vistra ADFS Infrastructure Setup:
AMSSRVADFS001 (10.30.10.2) – Primary ADFS Server
AMSSRVADFS002 (10.30.10.3) – Secondary ADFS Server
vistra.com (10.30.10.4) NLB cluster IP and ADFS service domain name
ADFS service name service account is SVCADFS (saved in PW DB)
Note: auth.vistra.com has an external IP (152.194.64.8) and all Vistra/OIL, CEE offices and Policy Hub ADFS Servers are allowed to connect to this service via https. Also note that we are using a public SSL cert for this service which then needs to be renewed before expiry date.
SSL Cert Renewal (Token Signing and Token Encryption Generation):
*Note - Replacing the SSL and Service Communications certificates go hand-in-hand. Any time you are replacing one of these certificates, you must also replace the other. SSL certificates exist on all Federation Servers and Federation Server Proxy servers. Service Communications certificates only exist on Federation Servers.
1. Obtain a new certificate with the following requirements
a. Enhanced Key Usage is at least Server Authentication. If you are obtaining this from an internal MS Exterprise CA, the Web Server template will work fine. b. Subject or Subject Alternative Name (SAN) must contain the DNS name of your Federation Service or an appropriate wildcard name Example: sso.contoso.com or *.contoso.com c. You may wish to generate the certificate request and mark the private key exportable so that you can move the certificate from one server to others in the case when you have a Federation Server farm or at least one Federation Server Proxy. d. Take note of which server was used to generate the certificate request. The private key is generated and stored here. When you receive the certificate from the issuing CA, you will need to bring that file back to the server where the request was initiated so that you can create a private/public key pair. e. The issuing CA that you choose is important because your Federation Server(s), Federation Server Proxy(ies), and all clients accessing your Federation Service must be able to chain to a trusted root certification authority when validating the SSL certificate. Customers will typically use a 3rd party, public CA for the SSL and Service Communications certificate.
2. ACL the SSL and Service Communications certificate to allow Read access for the AD FS 2.0 service account *Note - For ADFS 2012 R2, see https://technet.microsoft.com/en-us/library/dn781428.aspx **Note - This step must be completed on all Federation Servers only.
a. Click Start, Run, type MMC.exe, and press Enter b. Click File, Add/Remove Snap-in c. Double-click Certificates d. Select Computer account and click Next e. Select Local computer and click Finish f. Expand Certificates (Local Computer), expand Personal, and select Certificates g. Right-click your new SSL and Service Communications certificate, select All Tasks, and select Manage Private Keys h. Add Read access for your AD FS 2.0 service account and click OK i. Close the Certificates MMC
3. Bind the new SSL and Service Communications certificate to the web site in IIS which hosts the Federation Service *Note - For ADFS 2012 R2, see https://technet.microsoft.com/en-us/library/dn781428.aspx **Note - This step must be completed on all Federation Servers and Federation Server Proxy servers. a. In IIS7 on Windows Server 2008 and Windows Server 2008 R2, you will select the web site, right-click, Edit Bindings, and select the SSL port, Edit, and use the drop-dwon to select the new SSL certificate:
*Note - Be careful when making your certificate selection. Your old SSL certificate and new SSL certificate will likely have the same subject name and/or friendly name, and this may make it difficult to differentiate between the two certificates. When in doubt, use thumbprint matching (see the Thumbprint Matching section at the end of this article).
4. Set a new Service Communications certificate in the AD FS Management console *Note - This step needs to be completed just one time on a single Federation Server in the farm. Proxies are not involved here, and other Federation Servers in a farm will pick up this change automatically.
a. Launch AD FS Management from the Administrative Tools menu b. Expand Service and select Certificates c. In the Actions pane, click Set Service Communications Certificate...
d. You will be presented with a list of certificates that are valid for Service Communications. If you find that your new certificate is not being presented in the list, you need to go back and make sure that a. the certificate is in the local computer Personal store with private key associated, and b. the certificate has the Server Authentication EKU. e. Select your new Service Communications certificate and click OK
* Note: Be careful when making your certificate selection. Your old Service Communications certificate and new Service Communications certificate might have the same subject name and/or friendly name, and this may make it difficult to differentiate between the two certificates. When in doubt, use thumbprint matching (see the Thumbprint Matching section at the end of this article).
5. Test SSL functionality for internal and external users to ensure that SSL is working as expected on the Federation Servers and the Federation Server Proxy servers.
6. Run the below commands to generate the Token Signing and Encryption Certificates
We had a Wol issue in Luxembourg, the wol packets were not allowed by our core switch because the source IP Packets were in range 169.254.X.X, instead of having the server address
The WOL packets were originated from our Domain Controllers WOL Client on LUXSRVDC001
We found an article saying that domain controllers have a strange behavior on disconnected NICs, compared to a normal Windows server :
The disconnected NICs are registering with an APIPA Address by default, and the WOL Client was taking it as the source IP
After disabling the disconnected NICs on domain controllers, we were able to run our WOL correctly
This behavior was likely occurring following recent Windows Updates
This article talks about this behavior without giving an explanation why this happens
Over the past month we have had a couple of situations whereby exchange was unavailable for a period of time in different offices due to issues encountered. Please note that should there be an issue with Exchange then Mimecast Webmail can temporarily be enabled for the staff affected so that they can continue communicating with their clients. The webmail is provided by Mimecast and will have all incoming emails bound for the staff member from external parties and their historical email (Since March 2016) prior to the exchange down situation. Staff will not see new internal emails on Mimecast webmail during the exchange down situation as this will queue on other exchange servers in the organisation.
To allow the webmail for a group of staff / office then you need to add them to the following AD security group: Security - Global - Mimecast Allow Webmail in DR Situation
You will then need to get a Senior Team Member to login to Mimecast and perform an AD Sync:
This guide is meant to set up the Opsview repository in every office that is a member of Vistra.
When creating new scripts, service checks, event handlers, etc. for Opsview, files on the hosts (Opsview installation folder) need to be updated. To automate this process we create a scheduled task which deploys all files to the known hosts.
The current repository is located under: \\work.local\itsupport\Global\OpsView\Agent_Deploy\
Let's begin
Since we're bound to a lot of firewall rules this process needs to be done on the EPO (McAfee) servers. Log in on the relevant EPO server and continue these steps.
Security group - 1st we need to create a security group which contains all the servers that are managed by the specific office. For Amsterdam we created Security - IT - Amsterdam Opsview and added all relevant servers to this group.
Scheduled Task -Next we're going to create a scheduled task. You can either create one yourself or import the attached one. I would recommend using the attached one. If this paper has been written more than a year ago I would recommend looking at other EPO servers and export their scheduled task. When importing this task make sure you let the task run as SVCOPSVIEW (This is very important!).
Copy Script -Next we need to create a folder (if it doesn't exist already) called C:\Scripts. In this folder you need to copy attached .ps1 file (Opsview_scheduled_task.ps1)
Edit Script -Next we have to edit the copied .ps1 script. Change the following lines: $servers = get-adgroupmember -Identity 'XXXXX' | foreach { $_.Name } $office = "XXX"
Replace X's with the correct info. on the $servers line you need to place your newly created group as described in the 1st step (so for Amsterdam it should be $servers = get-adgroupmember -Identity 'Security - IT - Amsterdam Opsview servers' | foreach { $_.Name } . In the $office line you can enter the office this is meant for. Example: AMS
Create log folder - Create a folder in \\work.local\itsupport\Global\OpsView\Logs with the value you enter at the $office variable in above step.
Setting up the repository is done now. If you would like to know what actually happens keep on reading.
Security group - The security group is created because the Powershell script (explained later on) needs this to see what servers should be used.
Scheduled task - The scheduled task runs C:\Scripts\Opsview_scheduled_task.ps1. every night at 11PM.
Copy script - As of 18-4-2017 (moment of writing) this is the content of the script:
This scripts copies all files from \\work.local\itsupport\Global\OpsView\Agent_Deploy\ to the hosts c:\program files\opsview folder and then restarts the opsview service on the hosts for the changes to take effect. If the hosts does not contain the opsview folder the logs will say Opsview doesn't seem to be installed on this machine. Please install it manually. The logs can be found in \\work.local\itsupport\Global\OpsView\Logs.
Launch SapLogon, Select 'Connections' then click the 'New' Icon to create a new connection:
Select 'user specified system' on the next page, then click Next:
Fill in the details as follows:
Click Next, Next, Finish without completing anything further.
Then, close and re-open SAPLogon to make sure it has retained the connection settings.
Next, the user will need to install the OpenVPN client.
Browse to https://vpn1.chromaflo.com and ask them to log in with the details they received from Chromaflo.
You can then download and install the OpenVPN client onto their PC.
After that to connect to SAP, they login to OpenVPN first, then launch the SAP logon client. Any support for how to use SAP should be directed to Chromaflo, the user will have contact details for them.
Once you have the export, sort the list by Distinguished name. You should then be able to seperate by office.
For all of the Amsterdam & Switzerland hub offices, go through the list and check the accounts with passwords that don't expire. If you're not sure if an account should be set, check with the user for the reason.
Service accounts should remain without expiry, however any user account should not have a password set to not expire.
The exception to this at the moment is offices that are using O365. In Mauritius for instance, their accounts are set to not expire to prevent sync issues with Outlook & 365. If you notice a lot of users from the same office, assume that this has been set to never expire for a reason and note in the Zendesk ticket.
See attached PS script. This script should run (from AMSSRVADMIN001) and check that the permissions are set correctly on each users$ folder.
The user should be the owner of their own J: drive folder.
Run the script and then use the output to make any necessary corrections.
If the above doesn't work, use the following method.
Open the spreadsheet 'OV Starters & Leavers' from \\work.local\ITsupport
Looking at the starters tab for the past 3 months, go through the list (For AMS Hub sites only) and check each user has been given the correct permissions on their J: drive:
**For Amsterdam users, J: drive is "\\amssrvfs001\nlusers$\%username%"
For other sites, replace the 'nl' with the office code (MLT, DBX etc...)
Check Pool Monitor Tool, check Archive log files in Archive Manager
You will need to follow these steps for the following sites:
Amsterdam Hub - AMSSRVARC001
Cyprus - CYPSRVDC001
Zurich - ZRHSRVARC001
Open Enterprise archive manager, connect to a server (using above as guide) go to the 'Jobs' tab:
Click 'Job Reporting' at the bottom left, this brings up the pool monitor.
Run down the list of errors for each job, Items with a green envelope are fine, items with a red envelope failed.
Check that there are no errors within the last 90 days, if there is, check if the person is a leaver. If they are still an active user, then make a note of this on the ticket in Zendesk.
You or another engineer will then need to contact those users and troubleshoot to make sure their archiving is working.
The Amsterdam team needs to keep the diagrams updated for the following sites:
Amsterdam
BVI
Curacao
Cyprus
Switzerland (Zurich, Zug, Geneva)
You will need MS Visio installed on your computer to update these. They must be kept up to date with any new servers or network equipment that has been added since the last time this task was completed. Following the existing diagram should give you an idea of what is needed, if unsure ask a senior member of the team.
Check that the radial button for URL is checked, then click 'Update'
Then, log into https://zrhsrvepo01:8443 (from Zurich Admin) and repeat the above. If the URL update fails, go to http://standards.ieee.org/regauth/oui/oui.txt and save a copy of the text file to the Zurich admin server. Then use the file upload option to update the file.
Once you have the extract, sort it by office. You must remove any IT Admin accounts, service accounts, generic accounts & leavers from the list - leavers shouldn't be on there and access should be disabled immediately if they appear there. You can see leavers in the Leavers OU in AD.
Your list should look something like this:
These are the offices you will need to send to:
Antwerp - Eric Hendrickx
Barcelona/Madrid- Xavier Nuet
BVI - Rexella Hodge
Berlin - Gijs Hospers
Curacao - Connie Padilla
Cyprus - Gerard van Spall
Dubai - Barbara Neuerberg
Eemnes - David Spetter
Frankfurt - Marcus Friedrichs
Geneva - Walter Stresseman, Angelica Heinzen
Malta - Derren Busuttil, Marco Bugelli, Alistair Schembri
Rotterdam - Daniel Bolt
Soest - David Spetter
Zug - Massimo Mattanza
Zurich - Massimo Mattanza - Susana Frey
Use the following template for the email:
Dear Colleagues,
IT is currently conducting the quarterly review of email access.
Attached is the current list of colleagues with access to Webmail & Email on their mobile device.
Please review the list asap and advise by return email if any changes are required.
Once you receive the responses, update in Exchange accordingly. If you do not receive a response within 7 days, send a chase email. If you still haven't had a response in a further 7 days escalate to the IT Support Manager.
Cleaning tape needs to be run on tape drives in the following offices:
Amsterdam - go to data centre to run cleaning tapes
Cyprus - Contact Lilia Akrivopoulou to run the tape.
Zurich - Contact Elena Bunker to run the cleaning tape.
Log into ArcServe Backup Manager on AMSSRVSTORE001, CYPSRVDC001, ZRHSRVDC001 and run the cleaning tape job. Speak to Lloyd, Ross or Ambrus if assistance is required with this.
Make an export from AD for each Amsterdam hub satellite office, also create a seperate list that contains IT & BSS admin accounts (From the IT Users OU).
Include the following in the export ( you do this by choosing columns in AD before exporting):
Name
Job Title
Description
Email Address
Telephone Number
Division
Office
Remove any service accounts, IT users or generic / shared accounts from the list, there is a seperate operational task for these.
Send the list to the HR Managers/MD's for each office (list below) using the following template:
Dear...
IT is conducting its quarterly audit of user accounts.
Attached is the list of users currently in the directory for your office. Please review this information and respond confirming any changes that need to be made, or to confirm the list is correct.
If you have any questions about this, please feel free to contact me using the details below.
Kind regards
Amsterdam - Ron Arendsen, Vanessa Mittendorf,
Antwerp - Eric Hendrickx
Barcelona/Madrid- Victoria Oliver
BVI - Rexella Hodge
Berlin - Gijs Hospers
Curacao - Connie Padilla
Cyprus - Gerard van Spall
Dubai - Barbara Neuerberg
Eemnes - David Spetter
Frankfurt - Marcus Friedrichs
Geneva - Walter Stresseman, Angelica Heinzen
Malta - Derren Busuttil, Marco Bugelli, Alistair Schembri
Rotterdam - Daniel Bolt
Soest - Oliver Oser
Zurich & Zug Bruno Sidler - Susana Frey
When you receive a response, update the relevant information in AD, then file the email in the evidence folder for this task.
Log into vistra.sharefile.com and go to People>Manage Users Home
Click 'Export Full User List' - this will download an excel list of users.
Sort this list by last logon date.
For all users that have not logged on for over 90 days, send an email to them asking if they still require access.
If no response within 7 days, send a reminder advising if there is no response then their account will be removed in a further 7 days.
If no response received still, delete the user from Sharefile.
Updated 09-03-2018 LP:
Please use the attached email to send out to the employees that are filtered from the above list. There are three rules created in the ITsupport box that will filter the emails as shown below:
Then use the ePO to deploy the missing software, if any issues report them to Jamie.
For deleting the machines that have not reported in over 30 days got to Menu> System Tree, select this group and all sub groups in the most left drop down menu and do a search without any extra filters. This will show all machines reporting in EPO, now just sort them by last communication. Delete all machines that have not communicated in 30 days> via actions -> directory management -> delete
Contacts:
Guernsey: Tim Laine, John Collenette Jordans and Bristol: Rhodri Jones Jersey and VGML: Ross Pringle, Yuri Miranda London: Bryan US: Freddie Mac
Once you have the extract, sort it by office and then send the list for Amsterdam to HR and Janine Hildebrandie, CC Ron Arendsen and Vanessa Mittendorf.
IMPORTANT NOTE: You must remove any IT Admin accounts, service accounts, generic accounts & leavers from the list - leavers shouldn't be on there and access should be disabled immediately if they appear there.
Use the following template for the email:
Dear Colleagues,
IT is currently conducting the monthly review of email access.
Attached is the current list of colleagues with access to Webmail & Email on their mobile device.
Please review the list asap and advise by return email if any changes are required.
Vistra Ltd provide individual DDI’s to their customers to call into their phone systems. When a customer calls this number they should be welcomed using their own company name. This necessitates an inbound hunt-group to be created.
This procedure documents the steps required to add a new customer on the Vistra Ltd Unified Communications Manager Platform. The following pre-requisites must be met
A list of users in the hunt-group for the customer
The DDI that the customer has been provided with
Method
Log into the Cisco UCM System Add a new line group by accessing Call Routing -> Route/Hunt -> Line Group, and click “Add”
Give the line group a name of lg-<customer name> Change the distribution algorithm to “broadcast” Select the extension numbers to be in the new group and select “add to line group” Once complete click “save”
Navigate to hunt-lists by accessing “Call Routing -> Route/Hunt -> Hunt List. Click “add new”
Name the hunt-list hl-<customer name>, Enter a sensible description Tick “enable” Select any CMG Save the hunt list, then click “add a line group” Select the correct line group and then click “Save”
Navigate to hunt-pilots by accessing “Call Routing -> Route/Hunt -> Hunt Pilot” Click find, then select the latest existing hunt-pilots for an existing customer. Click Copy Change the pilot number to the next available number in the 56XX range Change the description to a sensible value Change the hunt list to the new hunt list you created in sections 9-14 Change the Alerting Names to the customer name, then click “Save”
Finally, navigate to “Call Routing -> Translation Patterns” Search for and select and existing customer number, then click “Copy” Change the translation pattern to the DDI number allocated to the customer Change the description to the customer name
Scroll to the bottom of the page, and change the “called party transform mask” to the new hunt pilot number you created in section 15-20
Finally Click Save The new customer is now deployed, you can test by placing an inbound call to the customer DDI
Reference Documents
In order to administer the system some useful documents can be found at the following links.
If you have an issue with worksite (or any other plugin) not loading automatically when starting Word, excel or outlook this can be caused by the regkey having the wrong value.
FOG slaves are easily configured by cloning existing slaves. the following guide explains the procedure for deploying a new Fog slave. The only requirement would be having a Hypervisor and DHCP
1. Copy the HyperV Disk of an existing Slave and transfer it to a new remote Hypervisor server. Watch out for the internet line and the VPN between the offices you try to copy. Preferably start the copy on a friday afternoon.
2. once copied. make a VM and attatch this disk. dont connect it to the network yet.
3. while offline, turn it login with user fog and rename the host-name and reboot. give it network and IP.
4. As sudo adjust the Fog setting in the following hidden file. to match with the new host details /opt/fog/.fogsettings
5. Go to http://amssrvfog01 and create a new storage group and storage node
6. Back to Fog and run the installation from sudo in fog user. Make sure when running you see the configureation you did earlier in .fogsettings cd /fogproject ./installfog.sh
7. if install failes, make sure you have internet and apt-get install works. certain packages might require updating.
8. Once complete go to http://amssrvfog01 and under setting check if your slave is visible and logging back info.
9. If all complete, go to your local DHCP server and add option 66 and option 67 to your DHCP local server. 66 is your Fog slave ip and 67 is the image file undionly.kpxe more info: https://wiki.fogproject.org/wiki/index.php?title=Modifying_existing_DHCP_server_to_work_with_FOG
10. now test PXE booting from either HyperV or a physical machine
Orangefield(accuired by Vistra) used to have Accountview
This was later replaced by millogic but certain client data is still left behind indisde.
Please see the below guide on how to provide access:
1. install application using below path \\amssrvfs001\sources$\OF\ACCOUNTVIEW-71-NL-R01\Installation\install.cmd
2. with notepad create a batch (.bat) including the below lines and place it on the user’s desktop net use w: /delete net use w: \\AMSSRVFS003\AppsProg_NLAM$
3. shortcut the programs from C:\Program Files (x86)\accountview and place it on the user’s desktop
4. if no credentials ask business systems (Jeroen Beijer) to create /provide access inside.
Info: the program users W: drive for the executables and R: drive for data
You will require access to the safenet portal to perfomr this task.
1. Export a list of all users in the following security group: Security - Global Citrix Token Users You can use the attached script to get the export, once you have the export, filter it to display only the following offices:
Amsterdam Antwerp Barcelona Madrid BVI Berlin Curacao Cyprus Dubai Eemnes Frankfurt Geneva Malta Rotterdam Soest Zug Zurich
2. Log into - https://cloud.safenet-inc.com/console/Default.aspx
2) Click “Report” then click “Browse Employees”
4) Now you can view all the employees you can check the users which don't have login in more then 3 months
* DO NOT email EX CO members, directors and IT staff!
like Martin Crawford, Ad de Beer, Walter Stresemann, etc
5) email the users and save the emails here:
see attached email that you can use as template
\\work.local\itsupport\IT Support - Europe\Procedures\IT Quarterly Tasks\Sharefile license check\Q1 2016\sent emails
6) wait for replies and saved the emails here:
\\work.local\itsupport\IT Support - Europe\Procedures\IT Quarterly Tasks\Sharefile license check\Q1 2016\received emails
7) if they don't use sharefile anymore
- reset the password
- downgrade the account to client
6) Once you have completed CHE you can now move onto doing the same check for LUX Vault by logging into - https://luxvault.sharefile.com(Log in details in Password Database)
general link
\\work.local\itsupport\IT Support - Europe\Procedures\IT Quarterly Tasks\Sharefile license check
please update the license sheet as shown in the monthly task https://itsupport.vistra.com/hc/en-gb/articles/207282665-Share-file-Licencing-Monthly-Task-M17
Subject: Monthly Remote Access Check
Message:
Dear ,
We are performing the monthly audit of colleagues who currently have remote access to the Vistra Network via Citrix.
Please review the below list and advise by return email if any user's access should be revoked.
If you have any questions about this, please contact IT Support.
Kind regards
When you receive the replies, remove any users mentioned from the security group then store the emails in the evidence folder.
You must chase the replies if they are not received within a few days. We will fail our audit if these checks are not completed on time. If you do not receive a reply after 2 chases, notify Jamie
For this task, you need to run the following query in Exchange Powershell, from AMSSRVADMIN001:
MailboxDatabase -Status | Sort-Object Name | Format-Table Name, DatabaseSize, AvailableNewMailboxSpace
The output should look like this:
For each database, compare the size with the check from the previous month and then report any significant changes to a senior member of the team - this is so we can monitor unusual growth
Store a copy of the output in the evidence folder along with a list of reported discrepancies.
In the Archive manager, go to Tools>Address Book Manager:
Go to the Mailboxes tab, arrange by display name and then check that any leavers from the previous month on the spreadsheet have been disabled in archive manager. Make a list of any mailboxes you have de-activated and store in the evidence folder.
This needs to be completed for all of the above servers.
Next, close the address book manager and go to the 'Jobs' Tab, then click 'Job Reporting':
Check the list of errors for each job and if any occurred within the last month, you need to first check if that mailbox is de-activated (if so, ignore the error) and if not then investigate.
Again this needs to be completed for all the above servers.
When that is done, close the Jobs window, then go to 'Help'>'License'. Take a screenshot of the license box and add to the evidence folder.
Note that Archive Manager will shortly be decommissioned so we will not purchase any further licenses.
We receive an email digest of domains that are due to expire.
We get this once a month in the IT Support mailbox, subject: Domain Expiry Report
We also get a quarterly digest from ComLaude with domains due to expire that quarter. For domains registered with ComLaude, the default is that the domain is renewed unless we tell them otherwise.
An example of the domain expiry report is attached.
Go through the list and send an email to each named person on each domain to ask if the domain should be renewed or cancelled.
If you do not see a contact name on the report, then you will need to check the toolpad:
http://vistragroup.toolpad.com - if you do not have access to this, check with a senior member of the team.
Once you have received the answer back, you should do one of the following:
Hosted with ComLaude:
Renew - no action needed
Cancel - email Dylan.Facer@comlaude.com to cancel the domain upon it's expiry.
Hosted with IXWebHosting:
Renew or Cancel - log into manage.ixwebhosting.com(details in password manager) and take the appropriate action.
Hosted with EuropeRegistry
Renew or Cancel - log into EuropeRegistry (details in password manager) and take the appropriate action.
An email should be sent to the Cyprus & Zurich offices regarding their end of month tape backup.
For Cyprus, email Lilia.Akrivopoulou@vistra.com
For Zurich, email Mirjam.Boehnke@vistra.com
You should request that they place the tape in the drive for their month end backup. They should then label the tape as such.
Once the backup is completed (this should be scheduled) then you must contact them to remove the tape so they can arrange for the tape to be collected and stored offsite securely. They should also request that any tapes older than 1 year are returned to the office to be re-used.
Once completed, mark ticket as completed, store email evidence in the evidence folder here:
\\work.local\itsupport\IT Support - Europe\IT Operational Tasks\IT Monthly Task Evidence
Then update the Monthly & Quarterly task spreadsheet.
Please note that the devices connect to CS01 on port 45 and 46 are unknown at the moment. As question is raised with the local IT guy to figure out what they are. It is believed that one of these devices also has the Meraki connected to it. This page will be updated when more information is available.
This Document provides information on Vistra's ADFS Infrastructure and Solutions that relies on it.
Authentication Flow:
Client PC/browser tries to access the resource (Intranet, Skillsoft, Policyhub, Mimecast Mailbox)
Resource server is not able to authenticate users as user is unknown, queries respective federation service
Work.local AD is configured as a claims provider on the Federated Solution. Service Provider SAML/IDP Server queries work.local federation server for the user identity
4and5. Federation sever validates the user and issues a token to validate identity to the federation server in policyhub.
Token is accepted and decrypted
User is allowed to access the resource server
Resource server contents are returned to user’s browser.
All work.local users will sync to Mimecast via SLDAP connections automatically 24hours after the account creation
4. SkillSoft
Normal accounts - add user to "SkillportUsers" security group
Admin account (HRBP) - add user to "SkillportLeadership" security group
Vistra ADFS Infrastructure Setup:
AMSSRVADFS001 (10.30.10.2) – Primary ADFS Server
AMSSRVADFS002 (10.30.10.3) – Secondary ADFS Server
vistra.com (10.30.10.4) NLB cluster IP and ADFS service domain name
ADFS service name service account is SVCADFS (saved in PW DB)
Note: auth.vistra.com has an external IP (152.194.64.8) and all Vistra/OIL, CEE offices and Policy Hub ADFS Servers are allowed to connect to this service via https. Also note that we are using a public SSL cert for this service which then needs to be renewed before expiry date.
SSL Cert Renewal (Token Signing and Token Encryption Generation):
*Note - Replacing the SSL and Service Communications certificates go hand-in-hand. Any time you are replacing one of these certificates, you must also replace the other. SSL certificates exist on all Federation Servers and Federation Server Proxy servers. Service Communications certificates only exist on Federation Servers.
1. Obtain a new certificate with the following requirements
a. Enhanced Key Usage is at least Server Authentication. If you are obtaining this from an internal MS Exterprise CA, the Web Server template will work fine. b. Subject or Subject Alternative Name (SAN) must contain the DNS name of your Federation Service or an appropriate wildcard name Example: sso.contoso.com or *.contoso.com c. You may wish to generate the certificate request and mark the private key exportable so that you can move the certificate from one server to others in the case when you have a Federation Server farm or at least one Federation Server Proxy. d. Take note of which server was used to generate the certificate request. The private key is generated and stored here. When you receive the certificate from the issuing CA, you will need to bring that file back to the server where the request was initiated so that you can create a private/public key pair. e. The issuing CA that you choose is important because your Federation Server(s), Federation Server Proxy(ies), and all clients accessing your Federation Service must be able to chain to a trusted root certification authority when validating the SSL certificate. Customers will typically use a 3rd party, public CA for the SSL and Service Communications certificate.
2. ACL the SSL and Service Communications certificate to allow Read access for the AD FS 2.0 service account *Note - For ADFS 2012 R2, see https://technet.microsoft.com/en-us/library/dn781428.aspx **Note - This step must be completed on all Federation Servers only.
a. Click Start, Run, type MMC.exe, and press Enter b. Click File, Add/Remove Snap-in c. Double-click Certificates d. Select Computer account and click Next e. Select Local computer and click Finish f. Expand Certificates (Local Computer), expand Personal, and select Certificates g. Right-click your new SSL and Service Communications certificate, select All Tasks, and select Manage Private Keys h. Add Read access for your AD FS 2.0 service account and click OK i. Close the Certificates MMC
3. Bind the new SSL and Service Communications certificate to the web site in IIS which hosts the Federation Service *Note - For ADFS 2012 R2, see https://technet.microsoft.com/en-us/library/dn781428.aspx **Note - This step must be completed on all Federation Servers and Federation Server Proxy servers. a. In IIS7 on Windows Server 2008 and Windows Server 2008 R2, you will select the web site, right-click, Edit Bindings, and select the SSL port, Edit, and use the drop-dwon to select the new SSL certificate:
*Note - Be careful when making your certificate selection. Your old SSL certificate and new SSL certificate will likely have the same subject name and/or friendly name, and this may make it difficult to differentiate between the two certificates. When in doubt, use thumbprint matching (see the Thumbprint Matching section at the end of this article).
4. Set a new Service Communications certificate in the AD FS Management console *Note - This step needs to be completed just one time on a single Federation Server in the farm. Proxies are not involved here, and other Federation Servers in a farm will pick up this change automatically.
a. Launch AD FS Management from the Administrative Tools menu b. Expand Service and select Certificates c. In the Actions pane, click Set Service Communications Certificate...
d. You will be presented with a list of certificates that are valid for Service Communications. If you find that your new certificate is not being presented in the list, you need to go back and make sure that a. the certificate is in the local computer Personal store with private key associated, and b. the certificate has the Server Authentication EKU. e. Select your new Service Communications certificate and click OK
* Note: Be careful when making your certificate selection. Your old Service Communications certificate and new Service Communications certificate might have the same subject name and/or friendly name, and this may make it difficult to differentiate between the two certificates. When in doubt, use thumbprint matching (see the Thumbprint Matching section at the end of this article).
5. Test SSL functionality for internal and external users to ensure that SSL is working as expected on the Federation Servers and the Federation Server Proxy servers.
6. Run the below commands to generate the Token Signing and Encryption Certificates
We had a Wol issue in Luxembourg, the wol packets were not allowed by our core switch because the source IP Packets were in range 169.254.X.X, instead of having the server address
The WOL packets were originated from our Domain Controllers WOL Client on LUXSRVDC001
We found an article saying that domain controllers have a strange behavior on disconnected NICs, compared to a normal Windows server :
The disconnected NICs are registering with an APIPA Address by default, and the WOL Client was taking it as the source IP
After disabling the disconnected NICs on domain controllers, we were able to run our WOL correctly
This behavior was likely occurring following recent Windows Updates
This article talks about this behavior without giving an explanation why this happens
Over the past month we have had a couple of situations whereby exchange was unavailable for a period of time in different offices due to issues encountered. Please note that should there be an issue with Exchange then Mimecast Webmail can temporarily be enabled for the staff affected so that they can continue communicating with their clients. The webmail is provided by Mimecast and will have all incoming emails bound for the staff member from external parties and their historical email (Since March 2016) prior to the exchange down situation. Staff will not see new internal emails on Mimecast webmail during the exchange down situation as this will queue on other exchange servers in the organisation.
To allow the webmail for a group of staff / office then you need to add them to the following AD security group: Security - Global - Mimecast Allow Webmail in DR Situation
You will then need to get a Senior Team Member to login to Mimecast and perform an AD Sync:
This guide is meant to set up the Opsview repository in every office that is a member of Vistra.
When creating new scripts, service checks, event handlers, etc. for Opsview, files on the hosts (Opsview installation folder) need to be updated. To automate this process we create a scheduled task which deploys all files to the known hosts.
The current repository is located under: \\work.local\itsupport\Global\OpsView\Agent_Deploy\
Let's begin
Since we're bound to a lot of firewall rules this process needs to be done on the EPO (McAfee) servers. Log in on the relevant EPO server and continue these steps.
Security group - 1st we need to create a security group which contains all the servers that are managed by the specific office. For Amsterdam we created Security - IT - Amsterdam Opsview and added all relevant servers to this group.
Scheduled Task -Next we're going to create a scheduled task. You can either create one yourself or import the attached one. I would recommend using the attached one. If this paper has been written more than a year ago I would recommend looking at other EPO servers and export their scheduled task. When importing this task make sure you let the task run as SVCOPSVIEW (This is very important!).
Copy Script -Next we need to create a folder (if it doesn't exist already) called C:\Scripts. In this folder you need to copy attached .ps1 file (Opsview_scheduled_task.ps1)
Edit Script -Next we have to edit the copied .ps1 script. Change the following lines: $servers = get-adgroupmember -Identity 'XXXXX' | foreach { $_.Name } $office = "XXX"
Replace X's with the correct info. on the $servers line you need to place your newly created group as described in the 1st step (so for Amsterdam it should be $servers = get-adgroupmember -Identity 'Security - IT - Amsterdam Opsview servers' | foreach { $_.Name } . In the $office line you can enter the office this is meant for. Example: AMS
Create log folder - Create a folder in \\work.local\itsupport\Global\OpsView\Logs with the value you enter at the $office variable in above step.
Setting up the repository is done now. If you would like to know what actually happens keep on reading.
Security group - The security group is created because the Powershell script (explained later on) needs this to see what servers should be used.
Scheduled task - The scheduled task runs C:\Scripts\Opsview_scheduled_task.ps1. every night at 11PM.
Copy script - As of 18-4-2017 (moment of writing) this is the content of the script:
This scripts copies all files from \\work.local\itsupport\Global\OpsView\Agent_Deploy\ to the hosts c:\program files\opsview folder and then restarts the opsview service on the hosts for the changes to take effect. If the hosts does not contain the opsview folder the logs will say Opsview doesn't seem to be installed on this machine. Please install it manually. The logs can be found in \\work.local\itsupport\Global\OpsView\Logs.
Launch SapLogon, Select 'Connections' then click the 'New' Icon to create a new connection:
Select 'user specified system' on the next page, then click Next:
Fill in the details as follows:
Click Next, Next, Finish without completing anything further.
Then, close and re-open SAPLogon to make sure it has retained the connection settings.
Next, the user will need to install the OpenVPN client.
Browse to https://vpn1.chromaflo.com and ask them to log in with the details they received from Chromaflo.
You can then download and install the OpenVPN client onto their PC.
After that to connect to SAP, they login to OpenVPN first, then launch the SAP logon client. Any support for how to use SAP should be directed to Chromaflo, the user will have contact details for them.
Once you have the export, sort the list by Distinguished name. You should then be able to seperate by office.
For all of the Amsterdam & Switzerland hub offices, go through the list and check the accounts with passwords that don't expire. If you're not sure if an account should be set, check with the user for the reason.
Service accounts should remain without expiry, however any user account should not have a password set to not expire.
The exception to this at the moment is offices that are using O365. In Mauritius for instance, their accounts are set to not expire to prevent sync issues with Outlook & 365. If you notice a lot of users from the same office, assume that this has been set to never expire for a reason and note in the Zendesk ticket.
See attached PS script. This script should run (from AMSSRVADMIN001) and check that the permissions are set correctly on each users$ folder.
The user should be the owner of their own J: drive folder.
Run the script and then use the output to make any necessary corrections.
If the above doesn't work, use the following method.
Open the spreadsheet 'OV Starters & Leavers' from \\work.local\ITsupport
Looking at the starters tab for the past 3 months, go through the list (For AMS Hub sites only) and check each user has been given the correct permissions on their J: drive:
**For Amsterdam users, J: drive is "\\amssrvfs001\nlusers$\%username%"
For other sites, replace the 'nl' with the office code (MLT, DBX etc...)
Check Pool Monitor Tool, check Archive log files in Archive Manager
You will need to follow these steps for the following sites:
Amsterdam Hub - AMSSRVARC001
Cyprus - CYPSRVDC001
Zurich - ZRHSRVARC001
Open Enterprise archive manager, connect to a server (using above as guide) go to the 'Jobs' tab:
Click 'Job Reporting' at the bottom left, this brings up the pool monitor.
Run down the list of errors for each job, Items with a green envelope are fine, items with a red envelope failed.
Check that there are no errors within the last 90 days, if there is, check if the person is a leaver. If they are still an active user, then make a note of this on the ticket in Zendesk.
You or another engineer will then need to contact those users and troubleshoot to make sure their archiving is working.
The Amsterdam team needs to keep the diagrams updated for the following sites:
Amsterdam
BVI
Curacao
Cyprus
Switzerland (Zurich, Zug, Geneva)
You will need MS Visio installed on your computer to update these. They must be kept up to date with any new servers or network equipment that has been added since the last time this task was completed. Following the existing diagram should give you an idea of what is needed, if unsure ask a senior member of the team.
Check that the radial button for URL is checked, then click 'Update'
Then, log into https://zrhsrvepo01:8443 (from Zurich Admin) and repeat the above. If the URL update fails, go to http://standards.ieee.org/regauth/oui/oui.txt and save a copy of the text file to the Zurich admin server. Then use the file upload option to update the file.
Once you have the extract, sort it by office. You must remove any IT Admin accounts, service accounts, generic accounts & leavers from the list - leavers shouldn't be on there and access should be disabled immediately if they appear there. You can see leavers in the Leavers OU in AD.
Your list should look something like this:
These are the offices you will need to send to:
Antwerp - Eric Hendrickx
Barcelona/Madrid- Xavier Nuet
BVI - Rexella Hodge
Berlin - Gijs Hospers
Curacao - Connie Padilla
Cyprus - Gerard van Spall
Dubai - Barbara Neuerberg
Eemnes - David Spetter
Frankfurt - Marcus Friedrichs
Geneva - Walter Stresseman, Angelica Heinzen
Malta - Derren Busuttil, Marco Bugelli, Alistair Schembri
Rotterdam - Daniel Bolt
Soest - David Spetter
Zug - Massimo Mattanza
Zurich - Massimo Mattanza - Susana Frey
Use the following template for the email:
Dear Colleagues,
IT is currently conducting the quarterly review of email access.
Attached is the current list of colleagues with access to Webmail & Email on their mobile device.
Please review the list asap and advise by return email if any changes are required.
Once you receive the responses, update in Exchange accordingly. If you do not receive a response within 7 days, send a chase email. If you still haven't had a response in a further 7 days escalate to the IT Support Manager.
Cleaning tape needs to be run on tape drives in the following offices:
Amsterdam - go to data centre to run cleaning tapes
Cyprus - Contact Lilia Akrivopoulou to run the tape.
Zurich - Contact Elena Bunker to run the cleaning tape.
Log into ArcServe Backup Manager on AMSSRVSTORE001, CYPSRVDC001, ZRHSRVDC001 and run the cleaning tape job. Speak to Lloyd, Ross or Ambrus if assistance is required with this.
Make an export from AD for each Amsterdam hub satellite office, also create a seperate list that contains IT & BSS admin accounts (From the IT Users OU).
Include the following in the export ( you do this by choosing columns in AD before exporting):
Name
Job Title
Description
Email Address
Telephone Number
Division
Office
Remove any service accounts, IT users or generic / shared accounts from the list, there is a seperate operational task for these.
Send the list to the HR Managers/MD's for each office (list below) using the following template:
Dear...
IT is conducting its quarterly audit of user accounts.
Attached is the list of users currently in the directory for your office. Please review this information and respond confirming any changes that need to be made, or to confirm the list is correct.
If you have any questions about this, please feel free to contact me using the details below.
Kind regards
Amsterdam - Ron Arendsen, Vanessa Mittendorf,
Antwerp - Eric Hendrickx
Barcelona/Madrid- Victoria Oliver
BVI - Rexella Hodge
Berlin - Gijs Hospers
Curacao - Connie Padilla
Cyprus - Gerard van Spall
Dubai - Barbara Neuerberg
Eemnes - David Spetter
Frankfurt - Marcus Friedrichs
Geneva - Walter Stresseman, Angelica Heinzen
Malta - Derren Busuttil, Marco Bugelli, Alistair Schembri
Rotterdam - Daniel Bolt
Soest - Oliver Oser
Zurich & Zug Bruno Sidler - Susana Frey
When you receive a response, update the relevant information in AD, then file the email in the evidence folder for this task.
Log into vistra.sharefile.com and go to People>Manage Users Home
Click 'Export Full User List' - this will download an excel list of users.
Sort this list by last logon date.
For all users that have not logged on for over 90 days, send an email to them asking if they still require access.
If no response within 7 days, send a reminder advising if there is no response then their account will be removed in a further 7 days.
If no response received still, delete the user from Sharefile.
Updated 09-03-2018 LP:
Please use the attached email to send out to the employees that are filtered from the above list. There are three rules created in the ITsupport box that will filter the emails as shown below:
Then use the ePO to deploy the missing software, if any issues report them to Jamie.
For deleting the machines that have not reported in over 30 days got to Menu> System Tree, select this group and all sub groups in the most left drop down menu and do a search without any extra filters. This will show all machines reporting in EPO, now just sort them by last communication. Delete all machines that have not communicated in 30 days> via actions -> directory management -> delete
Contacts:
Guernsey: Tim Laine, John Collenette Jordans and Bristol: Rhodri Jones Jersey and VGML: Ross Pringle, Yuri Miranda London: Bryan US: Freddie Mac
Once you have the extract, sort it by office and then send the list for Amsterdam to HR and Janine Hildebrandie, CC Ron Arendsen and Vanessa Mittendorf.
IMPORTANT NOTE: You must remove any IT Admin accounts, service accounts, generic accounts & leavers from the list - leavers shouldn't be on there and access should be disabled immediately if they appear there.
Use the following template for the email:
Dear Colleagues,
IT is currently conducting the monthly review of email access.
Attached is the current list of colleagues with access to Webmail & Email on their mobile device.
Please review the list asap and advise by return email if any changes are required.
Vistra Ltd provide individual DDI’s to their customers to call into their phone systems. When a customer calls this number they should be welcomed using their own company name. This necessitates an inbound hunt-group to be created.
This procedure documents the steps required to add a new customer on the Vistra Ltd Unified Communications Manager Platform. The following pre-requisites must be met
A list of users in the hunt-group for the customer
The DDI that the customer has been provided with
Method
Log into the Cisco UCM System Add a new line group by accessing Call Routing -> Route/Hunt -> Line Group, and click “Add”
Give the line group a name of lg-<customer name> Change the distribution algorithm to “broadcast” Select the extension numbers to be in the new group and select “add to line group” Once complete click “save”
Navigate to hunt-lists by accessing “Call Routing -> Route/Hunt -> Hunt List. Click “add new”
Name the hunt-list hl-<customer name>, Enter a sensible description Tick “enable” Select any CMG Save the hunt list, then click “add a line group” Select the correct line group and then click “Save”
Navigate to hunt-pilots by accessing “Call Routing -> Route/Hunt -> Hunt Pilot” Click find, then select the latest existing hunt-pilots for an existing customer. Click Copy Change the pilot number to the next available number in the 56XX range Change the description to a sensible value Change the hunt list to the new hunt list you created in sections 9-14 Change the Alerting Names to the customer name, then click “Save”
Finally, navigate to “Call Routing -> Translation Patterns” Search for and select and existing customer number, then click “Copy” Change the translation pattern to the DDI number allocated to the customer Change the description to the customer name
Scroll to the bottom of the page, and change the “called party transform mask” to the new hunt pilot number you created in section 15-20
Finally Click Save The new customer is now deployed, you can test by placing an inbound call to the customer DDI
Reference Documents
In order to administer the system some useful documents can be found at the following links.
If you have an issue with worksite (or any other plugin) not loading automatically when starting Word, excel or outlook this can be caused by the regkey having the wrong value.
FOG slaves are easily configured by cloning existing slaves. the following guide explains the procedure for deploying a new Fog slave. The only requirement would be having a Hypervisor and DHCP
1. Copy the HyperV Disk of an existing Slave and transfer it to a new remote Hypervisor server. Watch out for the internet line and the VPN between the offices you try to copy. Preferably start the copy on a friday afternoon.
2. once copied. make a VM and attatch this disk. dont connect it to the network yet.
3. while offline, turn it login with user fog and rename the host-name and reboot. give it network and IP.
4. As sudo adjust the Fog setting in the following hidden file. to match with the new host details /opt/fog/.fogsettings
5. Go to http://amssrvfog01 and create a new storage group and storage node
6. Back to Fog and run the installation from sudo in fog user. Make sure when running you see the configureation you did earlier in .fogsettings cd /fogproject ./installfog.sh
7. if install failes, make sure you have internet and apt-get install works. certain packages might require updating.
8. Once complete go to http://amssrvfog01 and under setting check if your slave is visible and logging back info.
9. If all complete, go to your local DHCP server and add option 66 and option 67 to your DHCP local server. 66 is your Fog slave ip and 67 is the image file undionly.kpxe more info: https://wiki.fogproject.org/wiki/index.php?title=Modifying_existing_DHCP_server_to_work_with_FOG
10. now test PXE booting from either HyperV or a physical machine
Orangefield(accuired by Vistra) used to have Accountview
This was later replaced by millogic but certain client data is still left behind indisde.
Please see the below guide on how to provide access:
1. install application using below path \\amssrvfs001\sources$\OF\ACCOUNTVIEW-71-NL-R01\Installation\install.cmd
2. with notepad create a batch (.bat) including the below lines and place it on the user’s desktop net use w: /delete net use w: \\AMSSRVFS003\AppsProg_NLAM$
3. shortcut the programs from C:\Program Files (x86)\accountview and place it on the user’s desktop
4. if no credentials ask business systems (Jeroen Beijer) to create /provide access inside.
Info: the program users W: drive for the executables and R: drive for data
You will require access to the safenet portal to perfomr this task.
1. Export a list of all users in the following security group: Security - Global Citrix Token Users You can use the attached script to get the export, once you have the export, filter it to display only the following offices:
Amsterdam Antwerp Barcelona Madrid BVI Berlin Curacao Cyprus Dubai Eemnes Frankfurt Geneva Malta Rotterdam Soest Zug Zurich
2. Log into - https://cloud.safenet-inc.com/console/Default.aspx
2) Click “Report” then click “Browse Employees”
4) Now you can view all the employees you can check the users which don't have login in more then 3 months
* DO NOT email EX CO members, directors and IT staff!
like Martin Crawford, Ad de Beer, Walter Stresemann, etc
5) email the users and save the emails here:
see attached email that you can use as template
\\work.local\itsupport\IT Support - Europe\Procedures\IT Quarterly Tasks\Sharefile license check\Q1 2016\sent emails
6) wait for replies and saved the emails here:
\\work.local\itsupport\IT Support - Europe\Procedures\IT Quarterly Tasks\Sharefile license check\Q1 2016\received emails
7) if they don't use sharefile anymore
- reset the password
- downgrade the account to client
6) Once you have completed CHE you can now move onto doing the same check for LUX Vault by logging into - https://luxvault.sharefile.com(Log in details in Password Database)
general link
\\work.local\itsupport\IT Support - Europe\Procedures\IT Quarterly Tasks\Sharefile license check
please update the license sheet as shown in the monthly task https://itsupport.vistra.com/hc/en-gb/articles/207282665-Share-file-Licencing-Monthly-Task-M17
Subject: Monthly Remote Access Check
Message:
Dear ,
We are performing the monthly audit of colleagues who currently have remote access to the Vistra Network via Citrix.
Please review the below list and advise by return email if any user's access should be revoked.
If you have any questions about this, please contact IT Support.
Kind regards
When you receive the replies, remove any users mentioned from the security group then store the emails in the evidence folder.
You must chase the replies if they are not received within a few days. We will fail our audit if these checks are not completed on time. If you do not receive a reply after 2 chases, notify Jamie
For this task, you need to run the following query in Exchange Powershell, from AMSSRVADMIN001:
MailboxDatabase -Status | Sort-Object Name | Format-Table Name, DatabaseSize, AvailableNewMailboxSpace
The output should look like this:
For each database, compare the size with the check from the previous month and then report any significant changes to a senior member of the team - this is so we can monitor unusual growth
Store a copy of the output in the evidence folder along with a list of reported discrepancies.
In the Archive manager, go to Tools>Address Book Manager:
Go to the Mailboxes tab, arrange by display name and then check that any leavers from the previous month on the spreadsheet have been disabled in archive manager. Make a list of any mailboxes you have de-activated and store in the evidence folder.
This needs to be completed for all of the above servers.
Next, close the address book manager and go to the 'Jobs' Tab, then click 'Job Reporting':
Check the list of errors for each job and if any occurred within the last month, you need to first check if that mailbox is de-activated (if so, ignore the error) and if not then investigate.
Again this needs to be completed for all the above servers.
When that is done, close the Jobs window, then go to 'Help'>'License'. Take a screenshot of the license box and add to the evidence folder.
Note that Archive Manager will shortly be decommissioned so we will not purchase any further licenses.
We receive an email digest of domains that are due to expire.
We get this once a month in the IT Support mailbox, subject: Domain Expiry Report
We also get a quarterly digest from ComLaude with domains due to expire that quarter. For domains registered with ComLaude, the default is that the domain is renewed unless we tell them otherwise.
An example of the domain expiry report is attached.
Go through the list and send an email to each named person on each domain to ask if the domain should be renewed or cancelled.
If you do not see a contact name on the report, then you will need to check the toolpad:
http://vistragroup.toolpad.com - if you do not have access to this, check with a senior member of the team.
Once you have received the answer back, you should do one of the following:
Hosted with ComLaude:
Renew - no action needed
Cancel - email Dylan.Facer@comlaude.com to cancel the domain upon it's expiry.
Hosted with IXWebHosting:
Renew or Cancel - log into manage.ixwebhosting.com(details in password manager) and take the appropriate action.
Hosted with EuropeRegistry
Renew or Cancel - log into EuropeRegistry (details in password manager) and take the appropriate action.
An email should be sent to the Cyprus & Zurich offices regarding their end of month tape backup.
For Cyprus, email Lilia.Akrivopoulou@vistra.com
For Zurich, email Mirjam.Boehnke@vistra.com
You should request that they place the tape in the drive for their month end backup. They should then label the tape as such.
Once the backup is completed (this should be scheduled) then you must contact them to remove the tape so they can arrange for the tape to be collected and stored offsite securely. They should also request that any tapes older than 1 year are returned to the office to be re-used.
Once completed, mark ticket as completed, store email evidence in the evidence folder here:
\\work.local\itsupport\IT Support - Europe\IT Operational Tasks\IT Monthly Task Evidence
Then update the Monthly & Quarterly task spreadsheet.
Please note that the devices connect to CS01 on port 45 and 46 are unknown at the moment. As question is raised with the local IT guy to figure out what they are. It is believed that one of these devices also has the Meraki connected to it. This page will be updated when more information is available.
- Understand the technical design of EZE (Penny) in Luxembourg and Amsterdam (Different servers used per BU)
- Administer EZE users
- Create a new fund on request (if someone needs a new fund created in Penny, we first need to create a new database on the Penny SQL Server of the BU, then map it inside the Penny application)
- Understand the technical design of Penny in Luxembourg (server used for which BU)
- Create a new fund on request (if someone needs a new fund created in Penny, we first need to create a new database on the Penny SQL Server of the BU, then map it inside the Penny application)
- Restore a database (=Fund) received from outside (for example EZE Extranet website)
For Sedico Eemnes office there a SFTP server natted through DMZ to allow clients upload certain type of files regarding energy management. see below guide how to add a new client.
ssh from dmz or console from AMSVHC01 to Debian VM VNLSRKPFTP01(172.16.30.32) password is in Eemnes password manager
AS sudo goto /home/FTPROOT/nleesmanager/clients
create client folder
add local user with 128bit secure password combinint characters numbers small and capital letters
Change user home folder path to the ftp folder usermod --home /home/FTPROOT/nleesmanager/clients/delta delta
Jail the user to only see his own folder usermod -d /home/FTPROOT/nleesmanager/clients/delta delta
add users to the FTP groups (replace USERNAME with user) usermod -a -G ftpusers USERNAME usermod -a -G sftponly-nlees USERNAME
restart the deamon /etc/init.d/vsftpd restart
provide the credentials to the requestor with PAtrick Zee in CC
Below guides walk you through to change the Windows Evaluation edition to the standard or enterprise and activate it Manually if there is no internet connectivity.
if trial windows edition run to know your target upgrade edition DISM /online /Get-TargetEditions
change to target by initiation the registration wizard. DISM /online /Set-Edition:ServerStandard /ProductKey:KEY-KEY--KEY--KEY-KEY /AcceptEula
Reboot
if it has wrong key, delete the old key slmgr -upk
install the new key slmgr -ipk KEY-KEY--KEY--KEY-KEY
get the installation id slmgr.vbs /dti
go to MS mobile portal which is the replacement of their phone service http://bit.ly/2k8sO9l and select 7 numbers and interchange with activation id
fill in activation ID slmgr.vbs /atp ACTIVATIONIDACTIVATIONIDACTIVATIONID
When a printer has an issue sending large scanned document it might have to do with a hard disk that is full. When you encounter this problem you can solve it easily by formatting this internal disk of the printer. This will free up disk space it needs to do it's job.
Printer settings will remain the same after this.
Login to the webpage and change the Printer Touchscreen UI to local username and password. at this time the users can’t use the printer until you are done.
Using the system menu button or remote support page navigate to Tools>security settings>Image Overwrite security
In the new window navigate to “Disk overwrite now” and perform a standard overwrite.
The local disk will be cleaned and the printer will be rebooted
Please be aware of the support escalation procedures for VPM.
VPM is hosted in the USA and staff connect to this using Citrix. If staff experience issues and it is not an issue on our side then please follow the escalation procedures to ensure a speedy resolution.
Points from Anthony Hill:
Please use our Escalation Procedure, it will ensure you get a hold of someone as soon as possible.
If you are getting a lot of alerts over the email and you want to make it more bearable/easier to look at you can change the View Settings and set a conditional formatting.
In the example below I used the temperature emails from the environment monitors.
- When something is critical (RED)
- Information / Warning (YELLOW)
- All good (Green)
(Open image in new tab for bigger one)
Obviously, you can do this with all sorts of emails and use different colours if that suits you better.
2. add 3 new trap receiver with Each the IP of the opsview master and the local Hub slaves. including the Community string. Example Cyprus envoirnment monitor:
Opsview master in Amsterdam and the slaves in Cyprus are all added:
Each one of the above is configured like so including the community string (see password manager)
3. no go to below path and config the Public2 community to the new string (see password manager) allowing external hosts to tap in the logs.
Administration > NEtwork > SNMPv1 > Access Control > edit public2 and add below:
4. now go to opsview and host settings and find en existing Envoirnment Monitor.
5. Select the Piebar Menu and hit Clone
6. change the IP, Host title, host group(add if missing) under Basic Settings
7. in Advance (bottomo of page to open) change Hostname, and the slave closet to this device
8. If you have followed the previous steps correctly you now can test the SNMP connection.
9. hit Submit and you now can monitor the Envoirnment monitor and receive the alerts
This guide will help you with a few basic task in the Racktables tool.
1. Add object to Racktables
An object can be everything you but inside your rack. So from a Server to a PDU. To create an object go to this link: http://amssrvrtb001.work.local/index.php?page=depot&tab=addmore
You can add multiple objects at the same time. Every object has different "Attributes". In short, this means when you add a network switch it won't ask you how many hard disks it has. When you add a server you will be able to add disks to it later on.
2. Add objects to your rack
Once you have created an object so go to the overview to open it: http://amssrvrtb001.work.local/index.php?page=depot&tab=default
Notice the status of the object. It says "Unmounted". That means the object is not placed in your rack. Click on the name of the object to mount it.
Once you have clicked on your object:
- Go to Rackspace tab
- Select the correct tab
- Check the height in the rack. If an object is taking up 2u's then select those boxes as well.
- Press save
I will add more quick howto's here in the near future.
There is a backup copy of the Network Password Manager installed on HKGSRVAPP04 to allow the retrieval of passwords should there be an issue with the Amsterdam Virtual Host Cluster and you are not able to access the password database through the normal connection. The backup copy is updated by the Asia team as a monthly task so may not contain passwords created within the past few weeks but should have enough passwords to get the Amsterdam Virtual Host Cluster back up and running.
If this scenario happens then you will need to get a senior engineer to login to HKGSRVAPP04 and start the following service: Network Password Manager
When the service is started on HKGSRVAPP04 start your Network Password Manager client. Change the computer that is it connecting to from AMSSRVAPP001 to HKGSRVAPP04 as below and enter your credentials to login:
Please do not create any new passwords when connected to the HKGSRVAPP04 backup copy as they will be lost when reverting back to Amsterdam.
When the Amsterdam Virtual Host Cluster is back up and running please disable the Network Password Manager Service on HKGSRVAPP04 again and revert back to the previous connection AMSSRVAPP001 in the drop down list in Password Manager.
If you need support from Xerox you can use the following details to contact their support.
- Xerox (Nederland) BV
Direct support for contracted printers 020-2035149
De Corridor 5 3621 ZA Breukelen Postbus 117 3620 AC Breukelen, Netherlands Statutair gevestigd te Amsterdam, Handelsregister nr. 33085653 Phone: +31 (0)346 255 255 Fax: +31 (0)346 255 250 Service: +31 (0)20 6563620 E-mail: informatie@xerox.com
International Transportation and Government Xerox Business Services (Netherlands) B.V. Koninginnegracht 14G 2514 AA The Hague The Netherlands Phone: +31 70 346 2680 www.xerox.com/transportation
This page gives an overview of all the Monthly and Quarterly tasks with a short description. These tasks will be assigned to you by your manager if needed. If you have any questions about this you can ask your manager.
Monthly
M3 – Month End Backup Tapes removed and taken offsite by KPN Amsterdam month end backup tapes are removed and stored in secure location off site by KPN.
M4 – Email CYP & ZRH to arrange Month End backup As above, Cyprus & Zurich tapes for month end backups are stored offsite. Collected by Securitas.
M7 – Perform GFI Windows & Software updates on all PC’s in AMS Hub This is a rolling task, updates are pushed out to all workstations on a 2-week cycle of test and live workstations around the AMS hub. UK team takes care of JER & LDN. Updates are pushed out using GFI Languard.
M8 – Perform GFI Windows & Software updates on all PC’s in ZRH Hub LUX team takes care of LUX & ZRH hubs, M11 – Check McAfee for Marshal is up to date on all Mail Gateways Log into the MailMarshal mail gateways and check that the software is updated.
M12 – Email archive licensing check, review licenses, scheduled jobs & de-activate old mailboxes Log into Metalogix Enterprise Archive Manager and check available archive licenses. De-activate mailboxes for leavers. Check that scheduled archive jobs are running.
M13 – Check Mailbox DB sizes for AMS/ZRH hubs Export from Exchange of mailbox database sizes for all Europe hubs. This is then compared to the export from the previous month. Any significant changes or databases running very low on space to be reported.
M14 – SAS – Remote access Check Export list of users in the ‘Security – Citrix Global Token Users’ group and then sort by office. We then contact managers in AMS Hub & Satellite offices to check that access is still required for list of users for each office.
M15 – OWA & Active Sync check (Amsterdam office only) List of users with Outlook Web Access & Active Sync enabled on their mailboxes is exported from Exchange. We then send the list to the MD in AMS office to confirm if access is still required.
M19 – AMS & ZRH hub - check Citrix server daily restart is working Log onto each Citrix server in AMS & ZRH hubs and check scheduled daily task to ensure that daily restart is working. M20 – Review Terminal Server Licensing Log into the terminal licensing server and check status of available licenses for each server OS version. Report if licenses in use exceeds available licenses.
M21 – Check supported Chrome Version in webhost protection in DLP Download latest supported chrome versions XML file from McAfee and update in DLP.
M22 – Check user info up to date in Zendesk Check the ‘No User Information Set’ view in Zendesk and complete information for any users appearing in the list.
Quarterly
T1 – Group – Review Viewpoint Privilege Accounts – Annual Check (performed by BSS) Business Systems reviews accounts with privileged access to viewpoint and adjusts accordingly.
T6 – Group – Review of AD Accounts Export from AD for list of users from each office. This is then sent to manager of each office to check and correct information contained in the export.
T7 – Run Cleaning tapes on backup drives – AMS/CYP/ZRH Self-Explanatory
T8 – Group Server Patch Updates (Via Win Update, testing GFI) Log into servers in AMS & ZRH hubs and perform windows updates. Currently testing pushing out these updates using GFI Languard.
T9 – Check autoloaders & Tape drives for new firmware versions Check HP firmware update tool on the StoreEasy / DC servers for updates for tape drives & autoloaders.
T11 – Check Webcam & EM configurations are up to date Log into webcams & environment monitors in each hub and satellite site and check equipment is working and firmware/software is up to date.
T13 – Group – Check for Citrix Xenapp updates Check for patches for current version of Citrix Xenapp then apply to Citrix servers.
T16 – Group - Review of OWA & AS access (Without AMS) As with Monthly Task M15, export list of mailboxes from Exchange of accounts with Active-Sync & Outlook Web Access enabled, then send lists to managers of each office to confirm access is still required. Adjust accordingly when managers respond.
T18 – Test restore from Tapes & D2D Test restoring files from backup tapes and from ArcServe UDP backups for each site.
T19 – Update oui.txt for McAfee RSD Task to update the OUI list for McAfee RSD, log into EPO and run update.
T20 – Check Hyperspin alerts Usually done by Jon Le Page, he checks the alerts from Hyperspin which monitor status of Vistra domains (UP/Down status)
T21 – Update Hub Diagrams (AMS Hub & ZRH Hub) Network Hub Diagrams are stored for each of the hubs, these are updated (in MS Visio) quarterly.
T23 – Sharefile – check users still require access Export list of users from chevault.vistra.com, sort by office then send to managers to check if access for Vistra users & clients is still required.
T24 – ArcServe Patch Manager – AMS/JER/ZRH/LUX Check for updates to ArcServe Tape Backup. T25 – Create Mapped Drive Policy export and update Zendesk KB article Export is done from GPO and then uploaded to Zendesk knowledge base.
T26 – Update Hyper-V templates Startup the Hyper-V templates on the virtual hosts and perform Windows Updates, then once completed run Sysprep.
T27 – Update Server Rack Documentation Update server rack documentation for each site with new servers/switches/IP’s etc.
T28 – Check Pool Monitor Tool, check archive log files in Email Archive Manager Log into Metalogix Email Archive Manager and check for errors in archiving mailboxes.
T29 – Check users$ folder security in AD (New starters) Check that the user has been given full control of their J: drive folder. (This is checked against new starters since the last check on the OV Starters & Leavers List.)
T30 – Clean old leavers profiles from Citrix Servers Check OV Starters & Leavers list and remove user profiles from Citrix servers – this has been added to the leavers process and so should no longer be required.
T31 – Review all Citrix Farm web interfaces and remove demoted servers from farms Self-explanatory
T32 – Check export of accounts with password set to never expire Export from AD all accounts with non-expiring passwords, and then check if still required. Usually, only service accounts and test accounts require this setting. T33 – Confirm IT approvers for each office. (Bi-Annual Check) Check with MD’s of each office who should be able to authorize IT related requests & purchases from that office.
The Eemnes/Berlin migration went live on 12-12-2016. On this page you can find details regarding this migration. This should help troubleshoot any problems you encounter when supporting users. Berin users will login using Citrix (AMSSRVCTX07) and the Eemnes users will be working locally on their computers.
User environment:
Eemnes office is connected directly to the DC using a site2site connection.(10.53.0.0/16)
Applications: ScanSys Image Capture – application running on clients and reception to digitalize and index the workflows and add it in Synergy Exact Synergy – Web app to do all business input and interchanging data/documents http://vnlenpapp03/synergy Exact Globe – Accounting and Billing software interchanging data between Synergy Ahold VPN – VPN from EMSWRK workstations to access Albert Hein hosted applications Jeff-Nett Report runner – reporting software to pull data and visualize the production data. Task center – Application to manage the processes between Synergy and Globe Energy management – automated ftp xml data collection from energy management parties. Energie management online – hosted solution to provide services to our clients (https://energiemanageronline.nl/sedico ) Portal4U – Front-end web application to provide services/information to our Clients ( https://portal.vistrasedico.com/nl )
Signatures: Eemnes and Berlin users have a different signature including the Sedico Logo which is linked to: “Security – Office all users” Group
We have integrated the below servers in Vistra Network (AMS Hub)
VNLENPSQL02 – Databases running for the applications and replication to the Portal4you website (https://portal.vistrasedico.com/nl) - Exact Globe Server
VNLENPAPP03 – Synergy application server VNLENPAPP04 – Taskcenter/Globe application server
EMSSRVOVH001 – Physical HyperV host in Eemnes EMSSRVDC001 – VM domain controller on OVH EMSSRVFOG01 – VM imaging server on OVH
VPN AZURE(attached) – 2x VPN to Microsoft azure NAT to VNLSRKPSQL02 to download the energy management information VPN AHOLD – 443 SSL VPN from workstation to provide services and input for Albert Hein.
You will be asked to log in Username: itsupport Password in the password db under Vistra/London/Phone System/TIM Plus Log In
Click "Reports"
From here you will be able to see all the different types of reports you can run or schedule, the 2 scheduled reports I have configured are showing at the bottom (LLS & Vistra London).
Monthly Reports
Email Address (LDNTIM@vistra.com) configured to email monthly reports for Vistra London & LLS in PDF format to Nico Kong (Vistra London), Bryan Turner (Vistra London), Ross Pringle (VGML) & itsupport@vistra.com.
If you find that the report hasn't ran automatically 1 month then you can click on the chosen scheduled report click next, next intill you reach the end and you will be given the choose to "Run now" or "Schedule for later".
Documentation in below URL http://docs.tri-line.com/display/plus/Home
If a website is not loading or loading partly there are several things that can be a problem:
Bluecoat proxy (Page will stay blank or load partially)
McAfee (Will show you a popup saying that it blocked something)
Firewall (Page will stay blank)
WebMarshal (Will block the page and make it clear that webmarshal did it)
** Please note that you always need approval from a name on the IT related approval list before you can whitelist something **
You can find the list here: \\work.local\itsupport\Global\IT related approvals.xslx
1. Check browser
Try different browser
Disable extensions
Use compatibility mode in IE
2. Bluecoat
If the above doesn’t help it’s probably bluecoat that is blocking this. If you want to make sure it’s bluecoat you can bypass it to see what happens. Go to IE and set the following proxy server.
Note: Even though this is an outdated system it still works for troubleshooting purposes. Make sure you use the local dc of the office. For example: in Malta you would use MLTSRVDC001.
LUXSRVDC001:8080
If the website works after that you need to whitelist it to be able to access it. It might happen that the website still doesn’t work after this. This could be because it’s blocked by the firewall. See step 4 on how to continue.
3. Whitelist website
When you whitelist something on Bluecoat it's for everybody. You can't whitelist something for 1 user only.
Go to centralops.net and get the IP of the website
Assign the request of the user with the website and IP to someone who can whitelist things in bluecoat
4. Firewall exception
Sometimes the firewall blocks something. In case you want to whitelist a website or something else that is being blocked by a firewall a rule needs to be created. This is done by an external company so it takes some time.
If a whole office needs access to something that is being blocked by the firewall you need to have the IP range of that office. If only one person needs access to this website you need to give the computer of that user a static IP (Reserve an IP). See following steps to do this.
RDP to the DHCP server (Mostly this is the DC in the office). In Amsterdam it's AMSSRVDC005.
Find the computer of the user
Right click on the computer
Click on “Add to Reservation”
Remember the IP address
Put this IP address (or range) and the IP address and hostname of the website in the ticket and assign it to your manager or a person who has the authority to process firewall rules.
(Right click > Open Image in New Tab) for larger image
The OfficeAssist plugin in word sometimes still connects to the old BRESRVFS01 server. This prevents the word document from opening. In order to solve this, you need to add 2 rules to the host file.
You can find the host file here: "C:\Windows\System32\drivers\etc".
When deploying to a laptop please following the below instructions step by step!
1. Set the BIOS admin password to: "LetMeIn"
2. Log into the PC and make sure the following account is set up and part of the Administrator group.
Username
Password
Europe-IT
tsurt
User
LetMeIn
3. Copy the the folder ‘Offline Encryption - Autoboot’ from \\amssrvfs001\sources$ to a USB stick.
4. Place the USB drive into the laptop and copy the folder to the root of C:\
5. Go into the folder and open the “UserList.txt” and confirm it contains the following:
User:password Europe-IT:password
If not, change it to match the above. DO NOT change the password part of the text.
6. Now open and command prompt and UNC to C:\Offline Encryption – AutoBoot
There should be a txt file called “Offline Activation” this will have a command within it, copy this into the CMD and run it.
7. If you now look under C:\Offline Encryption – AutoBoot, 2 extra files would have appeared, - ESOfflineActivateCMD - OfflineActivation
8. To install the software follow the below and make sure that you install in the specified order for the encryption will not work!
- Browse to C:\Offline Encryption – AutoBoot
- Run “FramePkg” – This installs the Mcafee Agent
- Open the VSE880LMLRP6 folder and run ”SetupVSE.exe” – This installs the Anti-Virus
- Open MfeEEAgent folder and run “MfeEEAgent64” – This installs the Drive Encryption Agent (If it’s a 32 bit machine which is unlikely, run MfeEEAgent32)
- Open the MfEEEPC folder and Run “MfeEEPc64” – This installs the Drive Encryption Driver
After this is completed in order the Laptop will need a restart
9. Browse to C:\Offline Encryption – AutoBoot and run “Offline Activation”
- A CMD box will appear and you will see it start to activate,
- To confirm the process has started right-click the McAfee agent and go to “Show Drive Encryption”
10. Upon restart, the laptop should go to the endpoint encryption login page. You will need to create security questions and passwords for both windows accounts.
**If the laptop gets stuck and will not boot, go into the BIOS, open System Configuration>SATA Operation, and ensure that ‘AHCI’ is selected. The laptop should then boot normally.**
11. Login first with the ‘Europe-IT’ account, the initial password will be set to 12345. Change this to match the windows account password.
12. You will then be asked to set 3 security questions, set the answers as follows:
What is your Favourite colour: Red What is your Favourite song: dont worry be happy (this should be exactly like this, no punctuation) What is your Favourite food: Steak
Then login to windows
Restart the laptop again, change to the ‘User’ account and log in with 12345, change the password to LetMeIn, and then if possible ask the user to set their own security questions. If they are not available, set them to different answers and provide the details to the user when the laptop is handed over.
13. Then login to windows.
14. Copy the laptop encryption key ‘EERecovery’ from C:\ to the USB stick, then copy from USB to the following location on AMSSRVEPO001: \\amssrvepo001\c$\Sources\Laptop Encryption Keys
1 - Move user account to ”Leavers“ OU in “Active Directory Users & Computers”
2 - Open the user account and click on the “Account” tab. At the bottom set the date to expire 2 days from today. This is to give you a chance to archive the mailbox. (the account needs to be enabled for that).
- Reset the password to something random on AD
3. Go to the "Member of" tab and remove user from all security groups except Domain Users
4. Update the Description of the AD Account to the Leave Date:
5 - Add the user to the email archive groups for leavers:
8 - Log into the Citrix server that the user's TS Profile is stored on, delete the user profile. (Control Panel>System>Advanced>User profiles>Settings)
9 - Set Out of Office on mailbox
To change the internal and external OoO message:
Open up the Out of Office tool on the relevant admin server.
Set the Out of Office message as specified on the leavers form for both external and internal mail.
- Test Out of Office message from Both internal and External address to ensure that it is working correctly
- Disable Read Receipts for the mailbox using Exchange Management Shell :
- Remove any Delegated / Full Mailbox Access that other Staff members may have to the mailbox
Open the Exchange management console, right click on the user's mailbox and check send as permissions,
Send as should look like this:
Do the same thing for full access permissions, it should look like this:
- Should a Forward be requested (For highly exceptional circumstances) on the Leaver form then this should be set by a Mail Flow Delivery Option. Note that the email should also be delivered to the mailbox to trigger the Out of Office response:
10 - Open ”Exchange Management Console”, search for the user, open the user & make a note of the size of the mailbox. See below..
11 - Hide the user’s email address from Exchange address lists.
13 - Log into the relevant admin server for where the user is located & open “Archive Manager Exchange Edition”.
14 - Click “View” & click “Archive”
15 - Search for the leavers name in the “Look for:” field.
16 - Right click on the leavers name under the “Search results” area and click “Archive Mailbox” (Example below)
17 - Please make sure that you select the correct retention category
(example Amsterdam = AMSStore01)
18 - Once the mailbox is archived, you should then de-activate it, go to Tools>Address Book Manager:
Then select the ‘Mailboxes’ option, locate the mailbox, right-click and ‘de-activate’:
19 - Once the mailbox is archived you can then go back to ”Exchange Management Console” and make a note of the size of the mailbox now. This should be a lot less than noted before now the mailbox has been archived.
20 - Go back to the admin server & browse to \\work.local\wordtemplates, Click on the location of the user intill you get to “Microsoft Access Database” the database you need to open will always be called “Vistra”.
21. Once the database has opened in Microsoft Access click on Employees.
22. Right click on the row your leaver is in & click “Delete Record”.
23. Browse to \\work.local\itsupport\Global\ in there you will find a spreadsheet called “OV Starters and Leavers” Complete the leavers section with the leavers name & the date they have left the company.
24. If stated on the leavers form that they had access to Advent please email Ryan Taylor in Jersey so he can remove the user account from that system, for LUX email Ambrus. If stated that they have sales force, client portal or sales force access then please contact Nicola Connolly.
25 - IF THE USER IS NOT BASED IN AMS - Assign the Zendesk Ticket to BSS - Once you have completed all of the steps above then use the 'Assign to BSS' check box in Zendesk, this will move the ticket out of the IT queue and into BSS, so make sure you've done everything else first.
*This step is not required for AMS users because HR will email them directly.
26 - You can now Disable the account in AD
27 - If the user is on the Vistra.com website, email marketing@vistra.com to remove them.
28 - Remove the user from the phone system for the office they work in (if applicable)
29 - Confirm with office manager/reception that user's door access card is disabled.
30 - Remove user's token details from Print Server
32 - Amsterdam users only, Remove user from the UC portal/ phone system
33 - Amsterdam users only, notify Eveline via e-mail
34 - Store the completed leavers form in the relevant leavers folder and return copy to HR attached to the ZenDesk ticket.
35 - Last Step
Create an appointment in your calendar Three months from the user’s leaving date to do the following:
You can now go back to ”Exchange Management Console” & remove the mailbox by right clicking and choosing “Remove” (This will automatically remove the user account from “Active Directory Users & Computers”.) BE SURE THAT THE MAILBOX IS ARCHIVED TO THE CORRECT SERVER BEFORE YOU DO THIS
1. Check if username is available Check the username in the excel sheet or login to Achrive Manager and verify if the normal username is already taken.
- Username = first.lastname
- Dont use the Insertions of the name of the user - Tools – address book manager - mailboxes - If a username is available you can use it
2. Create user account - Log in to the AMS/LUX/JER or ZRH Admin server - Open exchange - Rightclick mailbox and New Mailbox...
- Click on Next - Choose User Mailbox and click next - Check the box “specify the OU…” and click on Browse
- Choose the correct OU and fill in the rest of the form.
PASSWORD SHOULD BE SET TO A RANDOM series of characters/numbers and NOT Vistra123
- Click on next - Tick to specify the mailbox and click on browse
- The user should be added to the correct mailbox database - The location and the database A-Z should be choosing from the userid - Baumgas is in Zurich and b is in the mailbox DB of A-F
- Click on next - Don’t create an archive and click next - Short summary of the mailbox and click on New
3. Check mailbox settings Double click/open the new mailbox and verify if the settings are correct
- Go to email addresses tab
- Go to mailbox features - Disable, OWA, AS, POP3 and IMAP - Click on Ok
4. Security groups Make sure the user in the right OU. In case your forgot to do this when creating the mailbox.
- Go to the general tab and fill out the missing information
- Connect his profile and home folder path, this change from office to office as well. Compare with a different user account.
- Add the user to all requested groups:
IMPORTANT NOTE: See this article for Frankfurt users: https://itsupport.vistra.com/hc/en-gb/articles/115004827565-FRA-Datev
5. Welcome emails Send welcome IT email. You can find the email here: - \\work.local\itsupport\IT Support - Europe\Welcome to Vistra IT\Office 2010 Exchange 2010
- If the user works in one of the following offices (AMS/LUX/JER/CAY/LDN) please include the Worksite manual. The manual is in the same folder as the welcome IT email.
6. Add user to Zendesk - Create the user in Zendesk and fill out all fields.
7. Add user to database - You can find the file here: \\work.local\wordtemplates\ - You need to do this on one of the admin servers.
8. Licencing
- Open the following file: \\work.local\itsupport\Global\OV Starters and Leavers.xlsx
- Update it with the name and username of that person
9. Set up profile - Login to a workstation with the user’s account - Set the Word font to Arial 10 - Do the same with Excel - Do the same with Outlook. Add the signatures too. - Setup Worksite
- Check printer(s)
10. Check email - Send and email from the external email address: external.test.vistra@gmail.com (You can find the password in the password manager). Reply and see if that works. - Do the same with internal email.
11. Email Business systems if required to set up Viewpoint - For the offices: DXB, JER, LDN, MLT, GVA, ZRH and Zug
12. Change intranet settings - Go to: https://intranet/Interact/Pages/Admin/People/Staff/Default.aspx?section=106 - Search for the user - Change default homepage - Starting date - Choose manager
Here's an explanation of how I did the bulk change for the forwarding to reception for London. The first thing is that we needed to identify the reception pilot number. The reception software uses CTI ports to control the incoming calls. In your case, the pilot number is 5444, which you can see under "Device->CTI Route Point" and then clicking find. It's the one with a really long seemingly random name
To make the change we're going to use the Bulk Admin Tool, so go to "Bulk Administration->Phones->Add/Update Lines->Update Lines"
Enter some criteria that identifies the extensions you want to change, click find and then click next
You're now presented with a page that looks the same as when you normally configure a line. What you need to do here is tick the box next to the value you want to change, and then set the value that you want to amend. In your case we wanted to change all the extensions to have a CFNA to the reception number, and then change the timer to 16 seconds, or 4 rings.
Then, once you've set everything you want to, scroll to the bottom, click "Run Immediately" or schedule as appropriate, then click submit
Once you've clicked submit, you can monitor your job by going to the job scheduler under "Bulk Administration" at the bottom. You can sort the jobs by submission time.
If you click on the job you submitted you can monitor it's status and completion from there. Here's one of the bulk jobs I did to update the forwards
You can review the logs and the present job status in there.
Bulk admin is a great tool, one of the essentials when you're managing a UCM. Worth having a look around it and familiarising yourself!
Over the past month or so I have been travelling often to our London offices. In those trips I/we have completed the below…
Park Lane to St James Square Office Move
Park Lane & Office Suites decommissioned
Visit Data Caner
Orangefield now sitting in Vistra office
LLS Integration
Just a quick note to mention that LLS are a 3 people team, there PC’s are connected via their own switch (Shown below), which connects out to a dirty internet connection. There are 2 phones which are connected to our Phone systems. 1 normal DDI & 1 phone which is there main LLS number where they can forward this number to whoever they like via the forward button I have configured for them on that phone. Those phones are the only part of their setup that are on our network. They use Office 365 as there mail client & have their own local printer which all of the machines are connect to.
To support them of course you will need to ask them to go to nlremotesupport.vistra.com & connect to their machines that way.
Below are a couple of photos I managed to take..
\\work.local\itsupport\IT Support - Europe\Offices\London\London Photos
RP - 14/09/2016
Vistra London - Cisco Phone System / General Documentation
The Rotterdam office uses some software to create payslips every month. This is an time-being tool. It will be replaced by NMBRS. This software needs to be updated by every month or so. Marjolijn is the one that uses it and will inform us once the update is available.
1. Login AMSSRVCTX06
2. From there, open an new link to download the new update: https://mijn.loon.nl/
3. Click on download, as shown below:
4. Click on the latest update (Download Loon 2016) and check the date
Login details are stored in Password Manager
5. Use the proxy to download the file, save it to C:\Program Files (x86)\RoosRoos Loon\Updates
6. Make sure nobody is using Loon and run the update.exe file
7. After the update start the program (Loon 2016) from Marjolijn her session and update the client files
To allow users access to Hosts within Bomgar PAM, the hosts needs to be added and made part to the right group. the below steps explains how to add a host in Bomgar PAM.
2. Login to the console. and hit the Create button. note: Only make connections based on RDP or SSH(shell Jumps) sessions.
3. Follow the below numbers to add the host. note:Make sure you select the right Jump Group to give the right party access to the right hosts.
When a third party tries to access a host, an Email will be sent to our IT staff (Based on the selected Jump policy) requesting to approve the session. the Third party staff will only be allowed to access the host once the session is approved.
Bomgar PAM is the privided access management which Vistra uses to provide access to third party users who are actively building and or supporting applications on vistra network. All access is granted through approval and using both user credentials and domain credentials.
Add Third party users.
Third party users login to our PAM appliance through https://nlpam.vistra.com/login . To allow a local user will be created using the administration account by following the below step. This will only allow the person to login to PAM. To be able to reach our hosts another account needs to be created. Depending on type of host this can be either SSH acocunt or Domain account with access to to the host. follow the below steps to create a Bomgar PAM local user.
4. Fill in username(ad naming convention), display name and email address and a difficult password with minimal of 8 characters combining numbers letters and symbols.
5. Scroll down and Change the session Permissions to Third PArty Support
6. Scroll down and hit Add User
7. Now we need to add the user to the right group policy allowing them to only see certain hosts. Go to the following menu using the orange menu bar on top of the page.
8. select the Corresponding Third Party Policy which the new user belongs to by hitting the Edit link on. Iright side of the view:
9. Within the policy Hit add. select local group and search for the user created earlier. selecting user will add them to the policy. Scroll down and save changes once you are ready.
The user will now be able to login using the provided credentials and see the right hosts depending on the Group policy assigned to them. Don't forget to create a second user inside the actual host or domain otherwise the user wont be able to connect.
Fax : 67883462 (local) or +65-67883426 (from overseas)
***Singtel DataCentre - EXPAN NOC***
NOC EXPAN DCOpns (Data Centre Operations) - Global Enterprise Business T +65 62818121 F +65 62811138 M +65 91381966 38 Kim Chuan Road, Kim Chuan 1 Telecommunication Complex Singapore 537055
In the unfortunate case of downtime, please contact us by telephone (+31 70 381 9218) or e-mail (helpdesk@dataweb.nl) during office hours. When an emergency occurs outside office hours, please call us at our 24/7 hotline; +31 70 369 4734. Please mind, this is for complete downtime of 99,9% connections only. Please notify us of other service interruptions or questions during office hours.
Due to the nature and the security importance of the above websites not all computers are allowed to access the above websites due to locked down firewalls.
How to provide access:
1. Ask for approval and whether front-office, back-office or both is required.
2. depending on the requested access:
A:Front-office: Add the user and computer to the security group: " Application - Amsterdam - FUZE " restart the computer. this could take some time to replicate.
B:Back-Office: Add the computer to DHCP reservation, and request a senior member to apply firewall changes
3. the links should be available under the start > all programs.
If users get an errorwhen trying to start a Citrix desktop about profiles being locked down:
Change the following reg key:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions
In the right pane double click on the EnableLockdown key and modify value from 1 to 0 Close registry editor and try to start published application on Citrix.
IT Contacts - Vistra Group - HP Enterprise Support
In-Warranty & Out-of-Warranty +44 845 161 0030 Our line is now voice activated. For more info click here
Mon-Fri / 08:00-18:00 (except Bank Holidays) Calls cost 4p per minute from a BT Landline Costs from other carriers may vary Calls from mobile may be higher
HPE Care Pack or Contract +44 845 161 0050 Our line is now voice activated. For more info click here
Mon-Sun / 00:00-24:00
Calls cost 4p per minute from a BT Landline Costs from other carriers may vary Calls from mobile may be higher
============ LUX =======
Contract +352 27 303 111 24x7 Warranty and Out of Warranty +352 27 303 303 M–F 8:00–17:00
Zurich office uses Sage50 for accounting mandates. the server is hosted on the HyperV in the DC. the servername is Sage50 and is inherited from a previosly bought company(globalone).
how to install:
1. goto \\zrhsrvsql01\public$\APPL\Sesam-CD and install the application
2. configure it during the wizard and point it to the right shares in sage50 server
Sage appl client Mointpoint
\\sage50\sesam
Sage appl confing Mointpoint
\\sage50\Sage50Config\SPISecurity
this share (\\zrhsrvsql01\public$) is mapped for some of the staff as H:
opening mandates:
The required information is stored on both H: as mentioned above and X:
X: is mapped to the \\sage50\Sesam
Again this is not for all the Zurich staff as X: can ba a different share for other people.
below are the location (X:) for the company files. to open each company you need to open the file within the company folder called "SFBINI.DAT"
1. Add user to "Security - Cyprus - Orangefield - ADA Users" security group
2. install \\FC-APPL\AdaAccounting\ADA\First-install-new\setup.exe this will register the necessery DLL files
3. Remove the executable from the C:\program files so the user does not use it locally.
4. Copy \\FC-APPL\AdaAccounting\ADA\progs\aclock.mdb to C:\windows of the user
5. map \\FC-APPL\AdaAccounting as mapped drive with letter k:
6. reach the icon from either Cyprus start menu from the user start menu or create a shortcut from \\FC-APPL\AdaAccounting\ADA\progs\ada-Acc\ADA-ACC.EXE
into the users desktop.
start running and you should see the program running.
Install software from sources file. The key should be in the same location
Once installed, open Outlook and send an email to yourself. This should prompt PGP to open a wizard to secure the email account:
Choose ‘Yes..’ and then click next:
Choose ‘new key’ and click next
Click Next, then fill in the user’s name and email address:
Click next again, then fill in the passphrase.
For continuity, and ease of support, all of the staff in Cyprus have been set to ‘Namesurnamerules’ example: Jamiecarterrules
Click Next
Click ‘skip’ on the PGP Global Directory step, and the key is created.
This will also automatically create a messaging policy for that email account.
Next, right-click on the PGP icon in the system tray and choose ‘Open Symantec Encryption Desktop’:
Once open, choose ‘PGP Messaging’ from the menu on the left, you should have a screen like this:
Choose ‘Edit Policies’, highlight the ‘Require Encryption..’ policy and click ‘Edit Policy’
Configure the settings like this, with the users own email address:
Click OK, then select ‘Opportunistic Encryption’ and click Edit Policy, configure like this again entering the users own email address:
Set master key & encrypt buttons:
Right-click on the system tray icon and choose ‘options’. Then choose the ‘Master Keys’ tab:
Click ‘Add’:
Double-click on the users key in the next window to add, then click OK:
Then choose the Notifier tab, check the box for ‘Use PGP notifier’
UNCHECK the box for ‘Ask me before sending email when recipient’s key is not found’:
Exporting the user’s Key.
Each user will need to email their own key to their clients, and then import their clients keys in order to be able to encrypt and decrypt emails between them.
To export the user’s key:
Open the Symantec Encryption Desktop console as above, then choose ‘PGP keys’ on the left, you should see something like this:
*Note – for most Cyprus users, they will already have a huge list of keys. Don’t worry about that for now.
Click on ‘My private keys’, there should be only one key here. If there is more than one, check the properties on each key and delete all those except the most recently created.
Highlight the key, then click ‘Email this key’
It will generate this email:
Importing Keys
When the user receives a client key to import, open the email with the key attached, and double-click on the key, click ‘Open’ then you should get this:
Select the key, and click ‘Import’.
That should be all.
Troubleshooting:
If the user has any issues encrypting or decrypting client emails, delete any existing keys for that client and then re-import the client keys. Ensure that the correct version of the user’s own key has been emailed to the client and imported.
Make sure that there is only 1 messaging policy present for the user, with their VISTRA address. Delete any others.
In Zurich there is great amount of paper form archive located in a special room next to the reception. one of Zurich staff employees scans these papiers into CENSRV03.work.local using the two printers in that room (ZRHPRN004 and ZRHPRN005) this documentation attempts to explain this workflow and provide troubleshooting.
Scan server HP Autostore server and NSI autostore are used to host the archiving solution on the above mentioned server. Both of these services are now acquired by Nuance. At the moment we are using a more older version. see the attachment for more detailed instructions about these solutions to be able to understand the technical side of each one of these tools.
Scan Client
The Two printers (ZRHPRN004 and ZRHPRN005) which mentioned erlier, both have Java applets on their NVRAM to provide a scan client which is shown on the OSD menu of the printer. this is able to communicate to the server and recognizes scanned bulks based on their Barcodes. whenever you change the IP of the server. you can apply the below API commands to change the ip which they are using to communicate with the server.
The barcodes are generated inside a MDB and printed. when scanning these barcodes are in front of each bulkscan to communicate with the server and move the scans into their respective folder. see the location below which is used to provide the Access MDB to the user to create barcodes:
The whole process is configured through a program called NSI process designer. This is located inside CENSRV03. The designed process than get saved as CFG file. this file is called "autostore script" and you can use it to run it in the scan2map service which communicates with the printers
troubleshooting:
Sometimes the printer does not show the OSD(On screen Display) menu. This might be caused by different factors:
- printer is unable to ping CENSRV03 (10.38.10.150) - The scan2map service is crashed or not started on CENSRV03
If you notice that you have created a user in AD & added them to the correct Intranet Security group (E.g Security - Intranet Jersey Users) but in the intranet they haven't synced through then please check the below and make sure we have spare licences.
If you find that you have checked the below and we have spare licences, then please email (help@interact-intranet.com) & Interact will do a remote session to check the intranet logs and see why the user(s) aren't being synced through.
Note that AD syncs with the intranet every evening at around 9PM.
- Understand the technical design of EZE (Penny) in Luxembourg and Amsterdam (Different servers used per BU)
- Administer EZE users
- Create a new fund on request (if someone needs a new fund created in Penny, we first need to create a new database on the Penny SQL Server of the BU, then map it inside the Penny application)
- Understand the technical design of Penny in Luxembourg (server used for which BU)
- Create a new fund on request (if someone needs a new fund created in Penny, we first need to create a new database on the Penny SQL Server of the BU, then map it inside the Penny application)
- Restore a database (=Fund) received from outside (for example EZE Extranet website)
For Sedico Eemnes office there a SFTP server natted through DMZ to allow clients upload certain type of files regarding energy management. see below guide how to add a new client.
ssh from dmz or console from AMSVHC01 to Debian VM VNLSRKPFTP01(172.16.30.32) password is in Eemnes password manager
AS sudo goto /home/FTPROOT/nleesmanager/clients
create client folder
add local user with 128bit secure password combinint characters numbers small and capital letters
Change user home folder path to the ftp folder usermod --home /home/FTPROOT/nleesmanager/clients/delta delta
Jail the user to only see his own folder usermod -d /home/FTPROOT/nleesmanager/clients/delta delta
add users to the FTP groups (replace USERNAME with user) usermod -a -G ftpusers USERNAME usermod -a -G sftponly-nlees USERNAME
restart the deamon /etc/init.d/vsftpd restart
provide the credentials to the requestor with PAtrick Zee in CC
Below guides walk you through to change the Windows Evaluation edition to the standard or enterprise and activate it Manually if there is no internet connectivity.
if trial windows edition run to know your target upgrade edition DISM /online /Get-TargetEditions
change to target by initiation the registration wizard. DISM /online /Set-Edition:ServerStandard /ProductKey:KEY-KEY--KEY--KEY-KEY /AcceptEula
Reboot
if it has wrong key, delete the old key slmgr -upk
install the new key slmgr -ipk KEY-KEY--KEY--KEY-KEY
get the installation id slmgr.vbs /dti
go to MS mobile portal which is the replacement of their phone service http://bit.ly/2k8sO9l and select 7 numbers and interchange with activation id
fill in activation ID slmgr.vbs /atp ACTIVATIONIDACTIVATIONIDACTIVATIONID
When a printer has an issue sending large scanned document it might have to do with a hard disk that is full. When you encounter this problem you can solve it easily by formatting this internal disk of the printer. This will free up disk space it needs to do it's job.
Printer settings will remain the same after this.
Login to the webpage and change the Printer Touchscreen UI to local username and password. at this time the users can’t use the printer until you are done.
Using the system menu button or remote support page navigate to Tools>security settings>Image Overwrite security
In the new window navigate to “Disk overwrite now” and perform a standard overwrite.
The local disk will be cleaned and the printer will be rebooted
Please be aware of the support escalation procedures for VPM.
VPM is hosted in the USA and staff connect to this using Citrix. If staff experience issues and it is not an issue on our side then please follow the escalation procedures to ensure a speedy resolution.
Points from Anthony Hill:
Please use our Escalation Procedure, it will ensure you get a hold of someone as soon as possible.
If you are getting a lot of alerts over the email and you want to make it more bearable/easier to look at you can change the View Settings and set a conditional formatting.
In the example below I used the temperature emails from the environment monitors.
- When something is critical (RED)
- Information / Warning (YELLOW)
- All good (Green)
(Open image in new tab for bigger one)
Obviously, you can do this with all sorts of emails and use different colours if that suits you better.
2. add 3 new trap receiver with Each the IP of the opsview master and the local Hub slaves. including the Community string. Example Cyprus envoirnment monitor:
Opsview master in Amsterdam and the slaves in Cyprus are all added:
Each one of the above is configured like so including the community string (see password manager)
3. no go to below path and config the Public2 community to the new string (see password manager) allowing external hosts to tap in the logs.
Administration > NEtwork > SNMPv1 > Access Control > edit public2 and add below:
4. now go to opsview and host settings and find en existing Envoirnment Monitor.
5. Select the Piebar Menu and hit Clone
6. change the IP, Host title, host group(add if missing) under Basic Settings
7. in Advance (bottomo of page to open) change Hostname, and the slave closet to this device
8. If you have followed the previous steps correctly you now can test the SNMP connection.
9. hit Submit and you now can monitor the Envoirnment monitor and receive the alerts
This guide will help you with a few basic task in the Racktables tool.
1. Add object to Racktables
An object can be everything you but inside your rack. So from a Server to a PDU. To create an object go to this link: http://amssrvrtb001.work.local/index.php?page=depot&tab=addmore
You can add multiple objects at the same time. Every object has different "Attributes". In short, this means when you add a network switch it won't ask you how many hard disks it has. When you add a server you will be able to add disks to it later on.
2. Add objects to your rack
Once you have created an object so go to the overview to open it: http://amssrvrtb001.work.local/index.php?page=depot&tab=default
Notice the status of the object. It says "Unmounted". That means the object is not placed in your rack. Click on the name of the object to mount it.
Once you have clicked on your object:
- Go to Rackspace tab
- Select the correct tab
- Check the height in the rack. If an object is taking up 2u's then select those boxes as well.
- Press save
I will add more quick howto's here in the near future.
There is a backup copy of the Network Password Manager installed on HKGSRVAPP04 to allow the retrieval of passwords should there be an issue with the Amsterdam Virtual Host Cluster and you are not able to access the password database through the normal connection. The backup copy is updated by the Asia team as a monthly task so may not contain passwords created within the past few weeks but should have enough passwords to get the Amsterdam Virtual Host Cluster back up and running.
If this scenario happens then you will need to get a senior engineer to login to HKGSRVAPP04 and start the following service: Network Password Manager
When the service is started on HKGSRVAPP04 start your Network Password Manager client. Change the computer that is it connecting to from AMSSRVAPP001 to HKGSRVAPP04 as below and enter your credentials to login:
Please do not create any new passwords when connected to the HKGSRVAPP04 backup copy as they will be lost when reverting back to Amsterdam.
When the Amsterdam Virtual Host Cluster is back up and running please disable the Network Password Manager Service on HKGSRVAPP04 again and revert back to the previous connection AMSSRVAPP001 in the drop down list in Password Manager.
If you need support from Xerox you can use the following details to contact their support.
- Xerox (Nederland) BV
Direct support for contracted printers 020-2035149
De Corridor 5 3621 ZA Breukelen Postbus 117 3620 AC Breukelen, Netherlands Statutair gevestigd te Amsterdam, Handelsregister nr. 33085653 Phone: +31 (0)346 255 255 Fax: +31 (0)346 255 250 Service: +31 (0)20 6563620 E-mail: informatie@xerox.com
International Transportation and Government Xerox Business Services (Netherlands) B.V. Koninginnegracht 14G 2514 AA The Hague The Netherlands Phone: +31 70 346 2680 www.xerox.com/transportation
This page gives an overview of all the Monthly and Quarterly tasks with a short description. These tasks will be assigned to you by your manager if needed. If you have any questions about this you can ask your manager.
Monthly
M3 – Month End Backup Tapes removed and taken offsite by KPN Amsterdam month end backup tapes are removed and stored in secure location off site by KPN.
M4 – Email CYP & ZRH to arrange Month End backup As above, Cyprus & Zurich tapes for month end backups are stored offsite. Collected by Securitas.
M7 – Perform GFI Windows & Software updates on all PC’s in AMS Hub This is a rolling task, updates are pushed out to all workstations on a 2-week cycle of test and live workstations around the AMS hub. UK team takes care of JER & LDN. Updates are pushed out using GFI Languard.
M8 – Perform GFI Windows & Software updates on all PC’s in ZRH Hub LUX team takes care of LUX & ZRH hubs, M11 – Check McAfee for Marshal is up to date on all Mail Gateways Log into the MailMarshal mail gateways and check that the software is updated.
M12 – Email archive licensing check, review licenses, scheduled jobs & de-activate old mailboxes Log into Metalogix Enterprise Archive Manager and check available archive licenses. De-activate mailboxes for leavers. Check that scheduled archive jobs are running.
M13 – Check Mailbox DB sizes for AMS/ZRH hubs Export from Exchange of mailbox database sizes for all Europe hubs. This is then compared to the export from the previous month. Any significant changes or databases running very low on space to be reported.
M14 – SAS – Remote access Check Export list of users in the ‘Security – Citrix Global Token Users’ group and then sort by office. We then contact managers in AMS Hub & Satellite offices to check that access is still required for list of users for each office.
M15 – OWA & Active Sync check (Amsterdam office only) List of users with Outlook Web Access & Active Sync enabled on their mailboxes is exported from Exchange. We then send the list to the MD in AMS office to confirm if access is still required.
M19 – AMS & ZRH hub - check Citrix server daily restart is working Log onto each Citrix server in AMS & ZRH hubs and check scheduled daily task to ensure that daily restart is working. M20 – Review Terminal Server Licensing Log into the terminal licensing server and check status of available licenses for each server OS version. Report if licenses in use exceeds available licenses.
M21 – Check supported Chrome Version in webhost protection in DLP Download latest supported chrome versions XML file from McAfee and update in DLP.
M22 – Check user info up to date in Zendesk Check the ‘No User Information Set’ view in Zendesk and complete information for any users appearing in the list.
Quarterly
T1 – Group – Review Viewpoint Privilege Accounts – Annual Check (performed by BSS) Business Systems reviews accounts with privileged access to viewpoint and adjusts accordingly.
T6 – Group – Review of AD Accounts Export from AD for list of users from each office. This is then sent to manager of each office to check and correct information contained in the export.
T7 – Run Cleaning tapes on backup drives – AMS/CYP/ZRH Self-Explanatory
T8 – Group Server Patch Updates (Via Win Update, testing GFI) Log into servers in AMS & ZRH hubs and perform windows updates. Currently testing pushing out these updates using GFI Languard.
T9 – Check autoloaders & Tape drives for new firmware versions Check HP firmware update tool on the StoreEasy / DC servers for updates for tape drives & autoloaders.
T11 – Check Webcam & EM configurations are up to date Log into webcams & environment monitors in each hub and satellite site and check equipment is working and firmware/software is up to date.
T13 – Group – Check for Citrix Xenapp updates Check for patches for current version of Citrix Xenapp then apply to Citrix servers.
T16 – Group - Review of OWA & AS access (Without AMS) As with Monthly Task M15, export list of mailboxes from Exchange of accounts with Active-Sync & Outlook Web Access enabled, then send lists to managers of each office to confirm access is still required. Adjust accordingly when managers respond.
T18 – Test restore from Tapes & D2D Test restoring files from backup tapes and from ArcServe UDP backups for each site.
T19 – Update oui.txt for McAfee RSD Task to update the OUI list for McAfee RSD, log into EPO and run update.
T20 – Check Hyperspin alerts Usually done by Jon Le Page, he checks the alerts from Hyperspin which monitor status of Vistra domains (UP/Down status)
T21 – Update Hub Diagrams (AMS Hub & ZRH Hub) Network Hub Diagrams are stored for each of the hubs, these are updated (in MS Visio) quarterly.
T23 – Sharefile – check users still require access Export list of users from chevault.vistra.com, sort by office then send to managers to check if access for Vistra users & clients is still required.
T24 – ArcServe Patch Manager – AMS/JER/ZRH/LUX Check for updates to ArcServe Tape Backup. T25 – Create Mapped Drive Policy export and update Zendesk KB article Export is done from GPO and then uploaded to Zendesk knowledge base.
T26 – Update Hyper-V templates Startup the Hyper-V templates on the virtual hosts and perform Windows Updates, then once completed run Sysprep.
T27 – Update Server Rack Documentation Update server rack documentation for each site with new servers/switches/IP’s etc.
T28 – Check Pool Monitor Tool, check archive log files in Email Archive Manager Log into Metalogix Email Archive Manager and check for errors in archiving mailboxes.
T29 – Check users$ folder security in AD (New starters) Check that the user has been given full control of their J: drive folder. (This is checked against new starters since the last check on the OV Starters & Leavers List.)
T30 – Clean old leavers profiles from Citrix Servers Check OV Starters & Leavers list and remove user profiles from Citrix servers – this has been added to the leavers process and so should no longer be required.
T31 – Review all Citrix Farm web interfaces and remove demoted servers from farms Self-explanatory
T32 – Check export of accounts with password set to never expire Export from AD all accounts with non-expiring passwords, and then check if still required. Usually, only service accounts and test accounts require this setting. T33 – Confirm IT approvers for each office. (Bi-Annual Check) Check with MD’s of each office who should be able to authorize IT related requests & purchases from that office.
The Eemnes/Berlin migration went live on 12-12-2016. On this page you can find details regarding this migration. This should help troubleshoot any problems you encounter when supporting users. Berin users will login using Citrix (AMSSRVCTX07) and the Eemnes users will be working locally on their computers.
User environment:
Eemnes office is connected directly to the DC using a site2site connection.(10.53.0.0/16)
Applications: ScanSys Image Capture – application running on clients and reception to digitalize and index the workflows and add it in Synergy Exact Synergy – Web app to do all business input and interchanging data/documents http://vnlenpapp03/synergy Exact Globe – Accounting and Billing software interchanging data between Synergy Ahold VPN – VPN from EMSWRK workstations to access Albert Hein hosted applications Jeff-Nett Report runner – reporting software to pull data and visualize the production data. Task center – Application to manage the processes between Synergy and Globe Energy management – automated ftp xml data collection from energy management parties. Energie management online – hosted solution to provide services to our clients (https://energiemanageronline.nl/sedico ) Portal4U – Front-end web application to provide services/information to our Clients ( https://portal.vistrasedico.com/nl )
Signatures: Eemnes and Berlin users have a different signature including the Sedico Logo which is linked to: “Security – Office all users” Group
We have integrated the below servers in Vistra Network (AMS Hub)
VNLENPSQL02 – Databases running for the applications and replication to the Portal4you website (https://portal.vistrasedico.com/nl) - Exact Globe Server
VNLENPAPP03 – Synergy application server VNLENPAPP04 – Taskcenter/Globe application server
EMSSRVOVH001 – Physical HyperV host in Eemnes EMSSRVDC001 – VM domain controller on OVH EMSSRVFOG01 – VM imaging server on OVH
VPN AZURE(attached) – 2x VPN to Microsoft azure NAT to VNLSRKPSQL02 to download the energy management information VPN AHOLD – 443 SSL VPN from workstation to provide services and input for Albert Hein.
You will be asked to log in Username: itsupport Password in the password db under Vistra/London/Phone System/TIM Plus Log In
Click "Reports"
From here you will be able to see all the different types of reports you can run or schedule, the 2 scheduled reports I have configured are showing at the bottom (LLS & Vistra London).
Monthly Reports
Email Address (LDNTIM@vistra.com) configured to email monthly reports for Vistra London & LLS in PDF format to Nico Kong (Vistra London), Bryan Turner (Vistra London), Ross Pringle (VGML) & itsupport@vistra.com.
If you find that the report hasn't ran automatically 1 month then you can click on the chosen scheduled report click next, next intill you reach the end and you will be given the choose to "Run now" or "Schedule for later".
Documentation in below URL http://docs.tri-line.com/display/plus/Home
If a website is not loading or loading partly there are several things that can be a problem:
Bluecoat proxy (Page will stay blank or load partially)
McAfee (Will show you a popup saying that it blocked something)
Firewall (Page will stay blank)
WebMarshal (Will block the page and make it clear that webmarshal did it)
** Please note that you always need approval from a name on the IT related approval list before you can whitelist something **
You can find the list here: \\work.local\itsupport\Global\IT related approvals.xslx
1. Check browser
Try different browser
Disable extensions
Use compatibility mode in IE
2. Bluecoat
If the above doesn’t help it’s probably bluecoat that is blocking this. If you want to make sure it’s bluecoat you can bypass it to see what happens. Go to IE and set the following proxy server.
Note: Even though this is an outdated system it still works for troubleshooting purposes. Make sure you use the local dc of the office. For example: in Malta you would use MLTSRVDC001.
LUXSRVDC001:8080
If the website works after that you need to whitelist it to be able to access it. It might happen that the website still doesn’t work after this. This could be because it’s blocked by the firewall. See step 4 on how to continue.
3. Whitelist website
When you whitelist something on Bluecoat it's for everybody. You can't whitelist something for 1 user only.
Go to centralops.net and get the IP of the website
Assign the request of the user with the website and IP to someone who can whitelist things in bluecoat
4. Firewall exception
Sometimes the firewall blocks something. In case you want to whitelist a website or something else that is being blocked by a firewall a rule needs to be created. This is done by an external company so it takes some time.
If a whole office needs access to something that is being blocked by the firewall you need to have the IP range of that office. If only one person needs access to this website you need to give the computer of that user a static IP (Reserve an IP). See following steps to do this.
RDP to the DHCP server (Mostly this is the DC in the office). In Amsterdam it's AMSSRVDC005.
Find the computer of the user
Right click on the computer
Click on “Add to Reservation”
Remember the IP address
Put this IP address (or range) and the IP address and hostname of the website in the ticket and assign it to your manager or a person who has the authority to process firewall rules.
(Right click > Open Image in New Tab) for larger image
The OfficeAssist plugin in word sometimes still connects to the old BRESRVFS01 server. This prevents the word document from opening. In order to solve this, you need to add 2 rules to the host file.
You can find the host file here: "C:\Windows\System32\drivers\etc".
When deploying to a laptop please following the below instructions step by step!
1. Set the BIOS admin password to: "LetMeIn"
2. Log into the PC and make sure the following account is set up and part of the Administrator group.
Username
Password
Europe-IT
tsurt
User
LetMeIn
3. Copy the the folder ‘Offline Encryption - Autoboot’ from \\amssrvfs001\sources$ to a USB stick.
4. Place the USB drive into the laptop and copy the folder to the root of C:\
5. Go into the folder and open the “UserList.txt” and confirm it contains the following:
User:password Europe-IT:password
If not, change it to match the above. DO NOT change the password part of the text.
6. Now open and command prompt and UNC to C:\Offline Encryption – AutoBoot
There should be a txt file called “Offline Activation” this will have a command within it, copy this into the CMD and run it.
7. If you now look under C:\Offline Encryption – AutoBoot, 2 extra files would have appeared, - ESOfflineActivateCMD - OfflineActivation
8. To install the software follow the below and make sure that you install in the specified order for the encryption will not work!
- Browse to C:\Offline Encryption – AutoBoot
- Run “FramePkg” – This installs the Mcafee Agent
- Open the VSE880LMLRP6 folder and run ”SetupVSE.exe” – This installs the Anti-Virus
- Open MfeEEAgent folder and run “MfeEEAgent64” – This installs the Drive Encryption Agent (If it’s a 32 bit machine which is unlikely, run MfeEEAgent32)
- Open the MfEEEPC folder and Run “MfeEEPc64” – This installs the Drive Encryption Driver
After this is completed in order the Laptop will need a restart
9. Browse to C:\Offline Encryption – AutoBoot and run “Offline Activation”
- A CMD box will appear and you will see it start to activate,
- To confirm the process has started right-click the McAfee agent and go to “Show Drive Encryption”
10. Upon restart, the laptop should go to the endpoint encryption login page. You will need to create security questions and passwords for both windows accounts.
**If the laptop gets stuck and will not boot, go into the BIOS, open System Configuration>SATA Operation, and ensure that ‘AHCI’ is selected. The laptop should then boot normally.**
11. Login first with the ‘Europe-IT’ account, the initial password will be set to 12345. Change this to match the windows account password.
12. You will then be asked to set 3 security questions, set the answers as follows:
What is your Favourite colour: Red What is your Favourite song: dont worry be happy (this should be exactly like this, no punctuation) What is your Favourite food: Steak
Then login to windows
Restart the laptop again, change to the ‘User’ account and log in with 12345, change the password to LetMeIn, and then if possible ask the user to set their own security questions. If they are not available, set them to different answers and provide the details to the user when the laptop is handed over.
13. Then login to windows.
14. Copy the laptop encryption key ‘EERecovery’ from C:\ to the USB stick, then copy from USB to the following location on AMSSRVEPO001: \\amssrvepo001\c$\Sources\Laptop Encryption Keys
1 - Move user account to ”Leavers“ OU in “Active Directory Users & Computers”
2 - Open the user account and click on the “Account” tab. At the bottom set the date to expire 2 days from today. This is to give you a chance to archive the mailbox. (the account needs to be enabled for that).
- Reset the password to something random on AD
3. Go to the "Member of" tab and remove user from all security groups except Domain Users
4. Update the Description of the AD Account to the Leave Date:
5 - Add the user to the email archive groups for leavers:
8 - Log into the Citrix server that the user's TS Profile is stored on, delete the user profile. (Control Panel>System>Advanced>User profiles>Settings)
9 - Set Out of Office on mailbox
To change the internal and external OoO message:
Open up the Out of Office tool on the relevant admin server.
Set the Out of Office message as specified on the leavers form for both external and internal mail.
- Test Out of Office message from Both internal and External address to ensure that it is working correctly
- Disable Read Receipts for the mailbox using Exchange Management Shell :
- Remove any Delegated / Full Mailbox Access that other Staff members may have to the mailbox
Open the Exchange management console, right click on the user's mailbox and check send as permissions,
Send as should look like this:
Do the same thing for full access permissions, it should look like this:
- Should a Forward be requested (For highly exceptional circumstances) on the Leaver form then this should be set by a Mail Flow Delivery Option. Note that the email should also be delivered to the mailbox to trigger the Out of Office response:
10 - Open ”Exchange Management Console”, search for the user, open the user & make a note of the size of the mailbox. See below..
11 - Hide the user’s email address from Exchange address lists.
13 - Log into the relevant admin server for where the user is located & open “Archive Manager Exchange Edition”.
14 - Click “View” & click “Archive”
15 - Search for the leavers name in the “Look for:” field.
16 - Right click on the leavers name under the “Search results” area and click “Archive Mailbox” (Example below)
17 - Please make sure that you select the correct retention category
(example Amsterdam = AMSStore01)
18 - Once the mailbox is archived, you should then de-activate it, go to Tools>Address Book Manager:
Then select the ‘Mailboxes’ option, locate the mailbox, right-click and ‘de-activate’:
19 - Once the mailbox is archived you can then go back to ”Exchange Management Console” and make a note of the size of the mailbox now. This should be a lot less than noted before now the mailbox has been archived.
20 - Go back to the admin server & browse to \\work.local\wordtemplates, Click on the location of the user intill you get to “Microsoft Access Database” the database you need to open will always be called “Vistra”.
21. Once the database has opened in Microsoft Access click on Employees.
22. Right click on the row your leaver is in & click “Delete Record”.
23. Browse to \\work.local\itsupport\Global\ in there you will find a spreadsheet called “OV Starters and Leavers” Complete the leavers section with the leavers name & the date they have left the company.
24. If stated on the leavers form that they had access to Advent please email Ryan Taylor in Jersey so he can remove the user account from that system, for LUX email Ambrus. If stated that they have sales force, client portal or sales force access then please contact Nicola Connolly.
25 - IF THE USER IS NOT BASED IN AMS - Assign the Zendesk Ticket to BSS - Once you have completed all of the steps above then use the 'Assign to BSS' check box in Zendesk, this will move the ticket out of the IT queue and into BSS, so make sure you've done everything else first.
*This step is not required for AMS users because HR will email them directly.
26 - You can now Disable the account in AD
27 - If the user is on the Vistra.com website, email marketing@vistra.com to remove them.
28 - Remove the user from the phone system for the office they work in (if applicable)
29 - Confirm with office manager/reception that user's door access card is disabled.
30 - Remove user's token details from Print Server
32 - Amsterdam users only, Remove user from the UC portal/ phone system
33 - Amsterdam users only, notify Eveline via e-mail
34 - Store the completed leavers form in the relevant leavers folder and return copy to HR attached to the ZenDesk ticket.
35 - Last Step
Create an appointment in your calendar Three months from the user’s leaving date to do the following:
You can now go back to ”Exchange Management Console” & remove the mailbox by right clicking and choosing “Remove” (This will automatically remove the user account from “Active Directory Users & Computers”.) BE SURE THAT THE MAILBOX IS ARCHIVED TO THE CORRECT SERVER BEFORE YOU DO THIS
1. Check if username is available Check the username in the excel sheet or login to Achrive Manager and verify if the normal username is already taken.
- Username = first.lastname
- Dont use the Insertions of the name of the user - Tools – address book manager - mailboxes - If a username is available you can use it
2. Create user account - Log in to the AMS/LUX/JER or ZRH Admin server - Open exchange - Rightclick mailbox and New Mailbox...
- Click on Next - Choose User Mailbox and click next - Check the box “specify the OU…” and click on Browse
- Choose the correct OU and fill in the rest of the form.
PASSWORD SHOULD BE SET TO A RANDOM series of characters/numbers and NOT Vistra123
- Click on next - Tick to specify the mailbox and click on browse
- The user should be added to the correct mailbox database - The location and the database A-Z should be choosing from the userid - Baumgas is in Zurich and b is in the mailbox DB of A-F
- Click on next - Don’t create an archive and click next - Short summary of the mailbox and click on New
3. Check mailbox settings Double click/open the new mailbox and verify if the settings are correct
- Go to email addresses tab
- Go to mailbox features - Disable, OWA, AS, POP3 and IMAP - Click on Ok
4. Security groups Make sure the user in the right OU. In case your forgot to do this when creating the mailbox.
- Go to the general tab and fill out the missing information
- Connect his profile and home folder path, this change from office to office as well. Compare with a different user account.
- Add the user to all requested groups:
IMPORTANT NOTE: See this article for Frankfurt users: https://itsupport.vistra.com/hc/en-gb/articles/115004827565-FRA-Datev
5. Welcome emails Send welcome IT email. You can find the email here: - \\work.local\itsupport\IT Support - Europe\Welcome to Vistra IT\Office 2010 Exchange 2010
- If the user works in one of the following offices (AMS/LUX/JER/CAY/LDN) please include the Worksite manual. The manual is in the same folder as the welcome IT email.
6. Add user to Zendesk - Create the user in Zendesk and fill out all fields.
7. Add user to database - You can find the file here: \\work.local\wordtemplates\ - You need to do this on one of the admin servers.
8. Licencing
- Open the following file: \\work.local\itsupport\Global\OV Starters and Leavers.xlsx
- Update it with the name and username of that person
9. Set up profile - Login to a workstation with the user’s account - Set the Word font to Arial 10 - Do the same with Excel - Do the same with Outlook. Add the signatures too. - Setup Worksite
- Check printer(s)
10. Check email - Send and email from the external email address: external.test.vistra@gmail.com (You can find the password in the password manager). Reply and see if that works. - Do the same with internal email.
11. Email Business systems if required to set up Viewpoint - For the offices: DXB, JER, LDN, MLT, GVA, ZRH and Zug
12. Change intranet settings - Go to: https://intranet/Interact/Pages/Admin/People/Staff/Default.aspx?section=106 - Search for the user - Change default homepage - Starting date - Choose manager
Here's an explanation of how I did the bulk change for the forwarding to reception for London. The first thing is that we needed to identify the reception pilot number. The reception software uses CTI ports to control the incoming calls. In your case, the pilot number is 5444, which you can see under "Device->CTI Route Point" and then clicking find. It's the one with a really long seemingly random name
To make the change we're going to use the Bulk Admin Tool, so go to "Bulk Administration->Phones->Add/Update Lines->Update Lines"
Enter some criteria that identifies the extensions you want to change, click find and then click next
You're now presented with a page that looks the same as when you normally configure a line. What you need to do here is tick the box next to the value you want to change, and then set the value that you want to amend. In your case we wanted to change all the extensions to have a CFNA to the reception number, and then change the timer to 16 seconds, or 4 rings.
Then, once you've set everything you want to, scroll to the bottom, click "Run Immediately" or schedule as appropriate, then click submit
Once you've clicked submit, you can monitor your job by going to the job scheduler under "Bulk Administration" at the bottom. You can sort the jobs by submission time.
If you click on the job you submitted you can monitor it's status and completion from there. Here's one of the bulk jobs I did to update the forwards
You can review the logs and the present job status in there.
Bulk admin is a great tool, one of the essentials when you're managing a UCM. Worth having a look around it and familiarising yourself!
Over the past month or so I have been travelling often to our London offices. In those trips I/we have completed the below…
Park Lane to St James Square Office Move
Park Lane & Office Suites decommissioned
Visit Data Caner
Orangefield now sitting in Vistra office
LLS Integration
Just a quick note to mention that LLS are a 3 people team, there PC’s are connected via their own switch (Shown below), which connects out to a dirty internet connection. There are 2 phones which are connected to our Phone systems. 1 normal DDI & 1 phone which is there main LLS number where they can forward this number to whoever they like via the forward button I have configured for them on that phone. Those phones are the only part of their setup that are on our network. They use Office 365 as there mail client & have their own local printer which all of the machines are connect to.
To support them of course you will need to ask them to go to nlremotesupport.vistra.com & connect to their machines that way.
Below are a couple of photos I managed to take..
\\work.local\itsupport\IT Support - Europe\Offices\London\London Photos
RP - 14/09/2016
Vistra London - Cisco Phone System / General Documentation
The Rotterdam office uses some software to create payslips every month. This is an time-being tool. It will be replaced by NMBRS. This software needs to be updated by every month or so. Marjolijn is the one that uses it and will inform us once the update is available.
1. Login AMSSRVCTX06
2. From there, open an new link to download the new update: https://mijn.loon.nl/
3. Click on download, as shown below:
4. Click on the latest update (Download Loon 2016) and check the date
Login details are stored in Password Manager
5. Use the proxy to download the file, save it to C:\Program Files (x86)\RoosRoos Loon\Updates
6. Make sure nobody is using Loon and run the update.exe file
7. After the update start the program (Loon 2016) from Marjolijn her session and update the client files
To allow users access to Hosts within Bomgar PAM, the hosts needs to be added and made part to the right group. the below steps explains how to add a host in Bomgar PAM.
2. Login to the console. and hit the Create button. note: Only make connections based on RDP or SSH(shell Jumps) sessions.
3. Follow the below numbers to add the host. note:Make sure you select the right Jump Group to give the right party access to the right hosts.
When a third party tries to access a host, an Email will be sent to our IT staff (Based on the selected Jump policy) requesting to approve the session. the Third party staff will only be allowed to access the host once the session is approved.
Bomgar PAM is the privided access management which Vistra uses to provide access to third party users who are actively building and or supporting applications on vistra network. All access is granted through approval and using both user credentials and domain credentials.
Add Third party users.
Third party users login to our PAM appliance through https://nlpam.vistra.com/login . To allow a local user will be created using the administration account by following the below step. This will only allow the person to login to PAM. To be able to reach our hosts another account needs to be created. Depending on type of host this can be either SSH acocunt or Domain account with access to to the host. follow the below steps to create a Bomgar PAM local user.
4. Fill in username(ad naming convention), display name and email address and a difficult password with minimal of 8 characters combining numbers letters and symbols.
5. Scroll down and Change the session Permissions to Third PArty Support
6. Scroll down and hit Add User
7. Now we need to add the user to the right group policy allowing them to only see certain hosts. Go to the following menu using the orange menu bar on top of the page.
8. select the Corresponding Third Party Policy which the new user belongs to by hitting the Edit link on. Iright side of the view:
9. Within the policy Hit add. select local group and search for the user created earlier. selecting user will add them to the policy. Scroll down and save changes once you are ready.
The user will now be able to login using the provided credentials and see the right hosts depending on the Group policy assigned to them. Don't forget to create a second user inside the actual host or domain otherwise the user wont be able to connect.
Fax : 67883462 (local) or +65-67883426 (from overseas)
***Singtel DataCentre - EXPAN NOC***
NOC EXPAN DCOpns (Data Centre Operations) - Global Enterprise Business T +65 62818121 F +65 62811138 M +65 91381966 38 Kim Chuan Road, Kim Chuan 1 Telecommunication Complex Singapore 537055
In the unfortunate case of downtime, please contact us by telephone (+31 70 381 9218) or e-mail (helpdesk@dataweb.nl) during office hours. When an emergency occurs outside office hours, please call us at our 24/7 hotline; +31 70 369 4734. Please mind, this is for complete downtime of 99,9% connections only. Please notify us of other service interruptions or questions during office hours.
Due to the nature and the security importance of the above websites not all computers are allowed to access the above websites due to locked down firewalls.
How to provide access:
1. Ask for approval and whether front-office, back-office or both is required.
2. depending on the requested access:
A:Front-office: Add the user and computer to the security group: " Application - Amsterdam - FUZE " restart the computer. this could take some time to replicate.
B:Back-Office: Add the computer to DHCP reservation, and request a senior member to apply firewall changes
3. the links should be available under the start > all programs.
If users get an errorwhen trying to start a Citrix desktop about profiles being locked down:
Change the following reg key:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions
In the right pane double click on the EnableLockdown key and modify value from 1 to 0 Close registry editor and try to start published application on Citrix.
IT Contacts - Vistra Group - HP Enterprise Support
In-Warranty & Out-of-Warranty +44 845 161 0030 Our line is now voice activated. For more info click here
Mon-Fri / 08:00-18:00 (except Bank Holidays) Calls cost 4p per minute from a BT Landline Costs from other carriers may vary Calls from mobile may be higher
HPE Care Pack or Contract +44 845 161 0050 Our line is now voice activated. For more info click here
Mon-Sun / 00:00-24:00
Calls cost 4p per minute from a BT Landline Costs from other carriers may vary Calls from mobile may be higher
============ LUX =======
Contract +352 27 303 111 24x7 Warranty and Out of Warranty +352 27 303 303 M–F 8:00–17:00
Zurich office uses Sage50 for accounting mandates. the server is hosted on the HyperV in the DC. the servername is Sage50 and is inherited from a previosly bought company(globalone).
how to install:
1. goto \\zrhsrvsql01\public$\APPL\Sesam-CD and install the application
2. configure it during the wizard and point it to the right shares in sage50 server
Sage appl client Mointpoint
\\sage50\sesam
Sage appl confing Mointpoint
\\sage50\Sage50Config\SPISecurity
this share (\\zrhsrvsql01\public$) is mapped for some of the staff as H:
opening mandates:
The required information is stored on both H: as mentioned above and X:
X: is mapped to the \\sage50\Sesam
Again this is not for all the Zurich staff as X: can ba a different share for other people.
below are the location (X:) for the company files. to open each company you need to open the file within the company folder called "SFBINI.DAT"
1. Add user to "Security - Cyprus - Orangefield - ADA Users" security group
2. install \\FC-APPL\AdaAccounting\ADA\First-install-new\setup.exe this will register the necessery DLL files
3. Remove the executable from the C:\program files so the user does not use it locally.
4. Copy \\FC-APPL\AdaAccounting\ADA\progs\aclock.mdb to C:\windows of the user
5. map \\FC-APPL\AdaAccounting as mapped drive with letter k:
6. reach the icon from either Cyprus start menu from the user start menu or create a shortcut from \\FC-APPL\AdaAccounting\ADA\progs\ada-Acc\ADA-ACC.EXE
into the users desktop.
start running and you should see the program running.
Install software from sources file. The key should be in the same location
Once installed, open Outlook and send an email to yourself. This should prompt PGP to open a wizard to secure the email account:
Choose ‘Yes..’ and then click next:
Choose ‘new key’ and click next
Click Next, then fill in the user’s name and email address:
Click next again, then fill in the passphrase.
For continuity, and ease of support, all of the staff in Cyprus have been set to ‘Namesurnamerules’ example: Jamiecarterrules
Click Next
Click ‘skip’ on the PGP Global Directory step, and the key is created.
This will also automatically create a messaging policy for that email account.
Next, right-click on the PGP icon in the system tray and choose ‘Open Symantec Encryption Desktop’:
Once open, choose ‘PGP Messaging’ from the menu on the left, you should have a screen like this:
Choose ‘Edit Policies’, highlight the ‘Require Encryption..’ policy and click ‘Edit Policy’
Configure the settings like this, with the users own email address:
Click OK, then select ‘Opportunistic Encryption’ and click Edit Policy, configure like this again entering the users own email address:
Set master key & encrypt buttons:
Right-click on the system tray icon and choose ‘options’. Then choose the ‘Master Keys’ tab:
Click ‘Add’:
Double-click on the users key in the next window to add, then click OK:
Then choose the Notifier tab, check the box for ‘Use PGP notifier’
UNCHECK the box for ‘Ask me before sending email when recipient’s key is not found’:
Exporting the user’s Key.
Each user will need to email their own key to their clients, and then import their clients keys in order to be able to encrypt and decrypt emails between them.
To export the user’s key:
Open the Symantec Encryption Desktop console as above, then choose ‘PGP keys’ on the left, you should see something like this:
*Note – for most Cyprus users, they will already have a huge list of keys. Don’t worry about that for now.
Click on ‘My private keys’, there should be only one key here. If there is more than one, check the properties on each key and delete all those except the most recently created.
Highlight the key, then click ‘Email this key’
It will generate this email:
Importing Keys
When the user receives a client key to import, open the email with the key attached, and double-click on the key, click ‘Open’ then you should get this:
Select the key, and click ‘Import’.
That should be all.
Troubleshooting:
If the user has any issues encrypting or decrypting client emails, delete any existing keys for that client and then re-import the client keys. Ensure that the correct version of the user’s own key has been emailed to the client and imported.
Make sure that there is only 1 messaging policy present for the user, with their VISTRA address. Delete any others.
In Zurich there is great amount of paper form archive located in a special room next to the reception. one of Zurich staff employees scans these papiers into CENSRV03.work.local using the two printers in that room (ZRHPRN004 and ZRHPRN005) this documentation attempts to explain this workflow and provide troubleshooting.
Scan server HP Autostore server and NSI autostore are used to host the archiving solution on the above mentioned server. Both of these services are now acquired by Nuance. At the moment we are using a more older version. see the attachment for more detailed instructions about these solutions to be able to understand the technical side of each one of these tools.
Scan Client
The Two printers (ZRHPRN004 and ZRHPRN005) which mentioned erlier, both have Java applets on their NVRAM to provide a scan client which is shown on the OSD menu of the printer. this is able to communicate to the server and recognizes scanned bulks based on their Barcodes. whenever you change the IP of the server. you can apply the below API commands to change the ip which they are using to communicate with the server.
The barcodes are generated inside a MDB and printed. when scanning these barcodes are in front of each bulkscan to communicate with the server and move the scans into their respective folder. see the location below which is used to provide the Access MDB to the user to create barcodes:
The whole process is configured through a program called NSI process designer. This is located inside CENSRV03. The designed process than get saved as CFG file. this file is called "autostore script" and you can use it to run it in the scan2map service which communicates with the printers
troubleshooting:
Sometimes the printer does not show the OSD(On screen Display) menu. This might be caused by different factors:
- printer is unable to ping CENSRV03 (10.38.10.150) - The scan2map service is crashed or not started on CENSRV03
If you notice that you have created a user in AD & added them to the correct Intranet Security group (E.g Security - Intranet Jersey Users) but in the intranet they haven't synced through then please check the below and make sure we have spare licences.
If you find that you have checked the below and we have spare licences, then please email (help@interact-intranet.com) & Interact will do a remote session to check the intranet logs and see why the user(s) aren't being synced through.
Note that AD syncs with the intranet every evening at around 9PM.
To block a sender, you can go to Directories, Groups, Click on the Blocked Senders folder on the left hand side, select the Build button and add the email address or domain.
When you contact Mimecast via phone, you will be asked for our Mimecast ID and account code which can be found in the below screenshot. If you are asked for a security passphrase, this is available at the bottom of the ‘Dashboard’ when you login to the Mimecast Console and also in the the Password Manager under ‘Mimecast Security Passphrase’.
There is also a comprehensive knowledgebase available at the following link:
When deploying to a laptop please following the below instructions step by step!
BIOS Settings:
Ensure the following things are set in the BIOS, this may differ by manufacturer, some options may be in different places or not available.
1 - Disable TPM (The on-chip encryption function, McAfee is not compatible with this)
2 - Disable Secure boot
3 - Set boot mode to Legacy
4 - Set SATA mode to AHCI
5 - Set the BIOS (Admin) password to a random password, and store in a notepad file along with the encryption key (see this step later)
Installing McAfee components.
2. Log into the PC and make sure the following accounts are set up and part of the Administrator group.
Europe-IT ---> tsurt
User -------><random password, store this in the notepad file with the BIOS password>
3. Copy the contents of the folder "Offline Encryption - Autoboot" from \\amssrvfs001\sources$ to a USB stick.
4. Place the USB drive into the laptop and copy the contents of the folder to the root of C:
5. Go into the folder and open the "txt" and confirm it contains the following:
User:password
Europe-IT:password
If not, change it to match the above. DO NOT CHANGEthe password part of the text.
6. Now open and command prompt and UNC to "C:\Offline Encryption – AutoBoot" (For windows 10 shift right click to open windows PowerShell and command prompt from there.)
There should be a txt file called "Offline Activation" this will have a command within it, copy this into the CMD and run it.
7. If you now look under "C:\Offline Encryption – AutoBoot", 2 extra files would have appeared,
ESOfflineActivateCMD
OfflineActivation
8. To install the software follow the below and make sure that you install in the specified order for the encryption will not work!
Browse to C:\Offline Encryption – AutoBoot
Run "FramePkg" – This installs the Mcafee Agent
Open the VSE880LMLRP6 folder and run "SetupVSE.exe" – This installs the Anti-Virus
Open MfeEEAgent folder and run "MfeEEAgent64" – This installs the Drive Encryption Agent (If it’s a 32 bit machine which is unlikely, run MfeEEAgent32)
Open the MfEEEPC folder and Run "MfeEEPc64" – This installs the Drive Encryption Driver
After this is completed in order the Laptop will need a restart
9. Browse to C:\Offline Encryption – AutoBoot and run "Offline Activation"
A CMD box will appear and you will see it start to activate,
To confirm the process has started right click the McAfee agent and go to "Show Drive Encryption"
10. Upon restart, the laptop should go to the endpoint encryption login page. You will need to create security questions and passwords for both windows accounts.
**If the laptop gets stuck and will not boot, go into the BIOS, open System Configuration>SATA Operation, and ensure that ‘AHCI’ is selected. The laptop should then boot normally.**
11. Login first with the ‘Europe-IT’ account, the initial password will be set to 12345. Change this to match the windows account password.
12. You will then be asked to set 3 security questions, set the answers as follows:
What is your Favourite colour: Red
What is your Favourite song: dont worry be happy (this should be exactly like this, no punctuation)
What is your Favourite food: Steak
Then login to windows
Restart the laptop again, change to the ‘User’ account and log in with 12345, change the password to LetMeIn , and then if possible ask the user to set their own security questions. If they are not available, set them to different answers and provide the details to the user when the laptop is handed over.
Then login to windows.
13. Copy the laptop encryption key "EERecovery" from C:\ to a folder named with the laptop name to the USB stick, also copy the notepad file containing the passwords, then copy from USB to the following location on AMSSRVEPO001:
Share file Licencing - Quarterly Task 1) Log into - https://chevault.sharefile.com (Log in details in Password Database)
2) Click “Manage Users” then click “Browse Employees”
4) Now you can view all the employees you can check the users which don't have login in more then 3 months
* DO NOT email EX CO members, directors and IT staff!
like Martin Crawford, Ad de Beer, Walter Stresemann, etc
5) email the users and save the emails here:
see attached email that you can use as template
\\work.local\itsupport\IT Support - Europe\Procedures\IT Quarterly Tasks\Sharefile license check\Q1 2016\sent emails
6) wait for replies and saved the emails here:
\\work.local\itsupport\IT Support - Europe\Procedures\IT Quarterly Tasks\Sharefile license check\Q1 2016\received emails
7) if they don't use sharefile anymore
- reset the password
- downgrade the account to client
6) Once you have completed CHE you can now move onto doing the same check for LUX Vault by logging into - https://luxvault.sharefile.com(Log in details in Password Database)
general link
\\work.local\itsupport\IT Support - Europe\Procedures\IT Quarterly Tasks\Sharefile license check
please update the license sheet as shown in the monthly task https://itsupport.vistra.com/hc/en-gb/articles/207282665-Share-file-Licencing-Monthly-Task-M17 Task Complete
Zurich - install / update module (Kanton) in drTax 3.0
The below guide gives you a summery of required steps to install and configure an bare metal HP Server. This guide is divided in the below tasks
Hardware prep
Host prep
Disk prep
OS prep
Os configure
Domain joining
Additional installs
Hardware prep
Before starting the software. in some cases the hardware supplier does not provide you with a server with decent installed component. In this case the server will be delivered including all the parts boxed separately. You need to install the component manually by removing the server tray.
HOST prep
Before patching the server into the network start by finding the appropriate name and IP adress for this server. The best way to do this is by pinging the same range and finding an unused ip. The ILO port will also be the next ip so make sure the next ip is also availble. use the ILOSERVERNAME as ILO hostname (replace servername with HOSTname)
To find the right range and amount please review a server with the same job in the network. Boot the server and hit the appropriate key (shown on screen) to boot in the ILO configuration and configure the ILO port. Activate the ILO license once you have access to it from your own desktop. Make sure you
Disk prep
using the ilo boot into hp array configuration utility where you can configure the disks before starting the OS installation. Please see below Vistra's Standard Disk array configuration:
- Raid 1 - existing out of two smaller size Disks to host the OS
- Raid 5 - existing out of four bigger sized disks to host the application/DATA
OS prep
Once you have done the necessery, you are ready to install the OS into the first raid. to install an OS you need to mount the appropriate ISO from the ILO web page to be able to boot into it. Remember to mount the ISO from a closed by HOST to prevent bandwidth tresholds. Start installing the OS once the ISO is booted. Use the OEM key (sticker on Server) if you have a licensed machine and use a Volume Licnese key if this machine is not licensed yet.
OS configure
Once you are finished installing the OS you will need to configure Vistra's required configuration. Once the OS is running start configuring the below counterparts:
Setup the Hostname
NIC (teaming atleast 2)
assign IP
Install the Drivers
Set Timezone
Install UK and US keyboards
Disable firewall
Activate windows
Update windows
Server manager > disable IE enhanced Security Configuration
Domain Joining
Once you are done configuring the above, it's time to Join the server to the domain. make sure you have local admin privileges before doing this. follow the below steps.
Create an AD Computer object in the appropriate OU
Join to server to the domain, restart the server and login again as local admin
Depending on what this server is going to do, Add the security group required for this Server Role.example: Security - IT - Amsterdam Screening Deployed Administrator
Additional install
For a server to run secure, monitored and licensed properly, you need to install the below software components accordingly.
MCafee: Deploy agent and VSE using EPO (add host to the tree)
Opsview: Install opsview client, change the service account to work\svcopsview and configure the host in Opsview (see: KB here)
Snow: install the setup found in sources$
Your server is now ready to use and you can install and configure additional roles, features, applications as needed to use this server.
Please find the below instructions useful for troubleshooting issues with adding/installing printers.
Error message:
Windows cannot connect to the printer 0x00000057
Troubleshooting:
1) On a machine with the same driver installed (and working properly), open Regedit, and browse to:
HKLM\System\CurrentControlSet\Control\Print\Environments\Windows NT x86\Drivers\Version-3\
2) Locate the subkey for the printer driver you are dealing with and click the key for the printer driver.
3) Look for the “InfPath” on the right. Note the path.
5) Now browse to C:\Windows\System32\DriverStore\FileRepository and locate the folder indicated in the InfPath reg value.
6) Go to the users computer exhibiting this behavior, and browse to C:\Windows\System32\DriverStore\FileRepository and see if the folder is present. In my case, the folder was present, but empty. If it is here and it is empty, you will have to modify security on the folder, first taking over ownership, then granting yourself full control.
7) Once security is granted, copy the contents of this folder from a good machine to the machine presenting the 0x00000057.
Please try now to add/install the printer again and it should work normally.
In Windows 7 x64 or Windows Server 2008 R2 the Mail (32-bit) applet shows a blank icon & does nothing when you click on it.
However if you run it manually using the following command it runs just fine.
c:\Windows\SysWOW64\control.exe mlcfg32.cpl
Use the following steps to resolve the issue.
Close the Control Panel.
Open Regedit & browse toHKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Control Panel\Cpls.
Right click mlcfg32.cpl & select Modify.
The current value will be something like C:\PROGRA~2\MICROS~2\Office14\MLCFG32.CPL. Note that the path may be different in your case depending on where Office is installed.
Change any single character in the path then click OK. (e.g.C:\PROGRA~2\MICROS~3\Office14\MLCFG32.CPL.
Close Regedit.
Now open the Control Panel & notice that the applet is gone.
Close the Control Panel.
Open Regedit & browse toHKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Control Panel\Cpls.
Change the value of mlcfg32.cpl back toC:\PROGRA~2\MICROS~2\Office14\MLCFG32.CPL.
Close Regedit.
Now open the Control Panel & notice that the applet is back & the icon is displaying properly.
Sometimes remotely reaching an ARCSERVE UDP agent webpage (https://server:8014) gives you the below sad face:
Cause:
This is because some older agent versions running on our hosts have an insecure DSA 128 SSL key which is hackable. It affects agents all releases from D2D r16/16.4 ro UDP version5 update 3.
Solutions:
You need to sign a new SSL key and mount it to Tomcat on the server.
Unable to open PDF files in Internet Explorer with PDF Converter Professional 8
Problem:
When attempting to open a PDF file in Internet Explorer, one of the following circumstances may occur:
The file may is be displayed
Internet Explorer flashes in and out of focus
An error message appears
Cause:
The following are the main reasons why PDF files cannot be displayed properly within the PDF Converter Professional Web Viewer:
The security settings of Internet Explorer block the PDF Converter Professional web viewer from launching successfully.
A failed installation of the PDF Converter Professional web viewer.
Incompatibility with the design of a website.
Note: Some websites are specifically designed to use Acrobat for displaying PDF files. These sites will not work with PDF Converter Professional.
Solution #1:
Ensure that the Internet Explorer security settings are not set to "High". The "High" security setting can block the PDF Converter Professional Web Viewer from loading. Follow these steps to adjust the Internet Explorer security settings:
Click "Start > Control Panel".
Select "Classic View" on the left panel if it isn't already enabled.
Double-click on the "Internet Options" link.
Select the "Security" tab and then click the icon labeled "Internet".
Adjust the security level to "Medium-high" or lower.
Note: If there is no slider available, click the "Default level" button to enable the slider.
If the PDF Converter Professional Web Viewer is still failing after adjusting the Internet Explorer security settings, unregistering and re-registering the Web Viewer may resolve some issues. Follow these steps to re-register the Web Viewer:
Close out of all applications, especially Internet Explorer.
Click "Start > Run" to open the run dialog. It is also possible to use the "Windows Key + R" keyboard combination to open the Run dialog.
Use the command below to unregister the Web Viewer. The path will need to be adjusted if PDF Converter Professional was not installed to the default location:
regsvr32 /u "C:\Program Files\Nuance\PDF Professional 8\bin\GPlusDocServer.ocx"
A dialog will appear stating that the unregister server succeeded. If any other message appears, check that the file location is correct.
Open the "Run" dialog again using the same method in Step 2.
Use the second command below to re-register the Web Viewer. The path will need to be adjusted if PDF Converter Professional was not installed to the default location:
regsvr32 "C:\Program Files\Nuance\PDF Professional 8\bin\GPlusDocServer.ocx"
A dialog will appear stating that the register server succeeded. If any other message appears, check that the file location is correct.
If after following Solutions 1 and 2, PDF files still cannot be opened within Internet Explorer, it may be an incompatibility with the website design. In this case, we recommend unregistering the Web Viewer and leaving it disabled. When accessing a PDF file with the Web Viewer disabled, a message will appear prompting the user to open or save the file. Clicking "Open" will open the PDF file within the PDF Converter Professional application, rather than the Web Viewer. Clicking "Save" will prompt the user to specify a location to save the file to.
Note: To unregister the web viewer, follow Steps 1 through 4 of Solution # 2. Do not re-register the Web Viewer by completing the remaining steps.
Install \\cypsrvsql001\Unity\Setup\setup.exe Follow the steps of the Install Wizard. At the end of the install a progress screen like the one below in the screen shot will pop up and should contain lots of green ticks. If this is not the case then please use the button at the top of the screen to copy the text and paste it into an email and send it to Unity support for review.
If the install was successful you can now open Elements. Under Start -> All Programs -> Unity Software you should find two databases: 'Unity Elements' and 'Unity Elements Test'
Please open one of the two databases and ensure you can:
Log in.
Load an entity by double clicking on one from the All Live Clients list.
Check to ensure that on load of the entity the Entity Summary Report has opened.
Load a second entity by clicking on the entity search icon at the top (Unity Logo).
Remove old shortcuts and create new ones
Run unity and let the user test it
Move on to the next PC
Additional information (Troubleshooting)
IF there is any issues regarding the underlying XLS files in Unity you need to change the paths:
Change the path of unity share in HKCU\Software\VB and VBA Program Settings\Unity\General\UnitySharedPath to: \\CYPSRVSQL001\unity
Change any additional desktop shortcut to the new UNC path: old: \\CYPSRVEXC001\unity\UnityElements new: \\CYPSRVSQL001\unity
You will also need a DSN reg key as per below. The Value data will be the name of the database.
When you open Excel using the FX Import option in unity the database path should be entered as follows:
Permission Unity Users
When multiple people in the office are unable to access or add accounts.
Call Laura Michael or Nick Terry, they have Admin rights on Unity.
In Unity go to security and choose "Permissions".
This opens the Permissions option.
Choose Unity form for the Object type. Then select the "group".
Only "admins" and "Users" groups are being used by the Cyprus office.
For the users, all Four settings need to say yes, this can be done by selecting one and press the green check mark in the left-hand corner.
Let the user log out of Unity and back in, the permission changes are immediate.
If you're still having issues please contact Microgen.
5. Install SQL client 2012 (Optional, if the PC/Citrix server doesn’t have)
ODBC Setup
USER DSN Configuration: (must be configured on the users’ profile. i.e must be logged in as the “User “ in his/her own PC or citrix session)
Go to ODBC Data Source Administrator > click “ADD”
(x86) C:\windows\system32\odbcad32
(x64) C:\windows\sysWOW64\odbcad32
Create New Data Source > Select SQL Server Native Client 11.0
2. Copy the settings on the screenshot below and click NEXT (The values will defer depending on the ODBC connection that was used to generate the screening deployed describe file)
3. Copy the settings on the screenshot below and click NEXT
Login ID: sgpsdws
Pw: (in pw db)
4. Copy the settings in the screen shot below and click NEXT
5. Click Finish and Click on “test Data source” > connection must complete successfully
6. Open Investigator application
("C:\Program Files (x86)\Screening Deployed\investigator.exe) – 64bit PC
("C:\Program Files\Screening Deployed\investigator.exe) – 32 bit PC
Login details
Username: W001
Pw: test1ng
A successful log in will mean that the USER DSN is working properly
END…
Europe - Bomgar PAM Console Monitoring and approval
The below instructions are meant for approving and monitoring the sessions which take place by third party support companies. Please see This Article To instruct third parties how to connect to Vistra's systems.
Approve a session:
When a Third party tries to access our system, they first select a system inside their PAM console and request for Access. The request includes the followwing information:
Request from
Request Reason
Request time
see below the request screen:
An E-mail will be sent including this request to the required approver(s). Depending on which group requires access one of the below mail group is used.
The email includes a hyperlink where the session can be approved including a comment. The comment will be shown to the requester upon accessing the server.
see below the approved notification which the third party recieves:
Monitor / Take over session
Third party sessions to Bomgar PAM is visible to Business system and Selected IT support members. Bomgar PAM console makes it possible to monitor or take over a session. The below steps helps you in using Bomgar Pam Console:
Start installing the Bomgar Pam Console from Sources$. Upon first run please pin this application to Windows task-bar for later access
Use your domain admin credentials to login:
If you followed the above steps correctly you should see the Bomgar PAM Console in your screen: a) Select all teams b) see the connected third parties and select one and hit (d)monitor/take Over(this will show their console. c) Select an active session to one of our server and hit (d)monitor/take over(this will show the console including their session to our server. e) Select the user to chat or send/recieve files or show your screen.
Note: when monitoring or taking over a session, confirm selecting the correct third party's screen. You will only see the Bomgar window on the correct screen by selecting that screen.
How to clean local print drivers from users machine When a user has problems with printing from their pc you can check if there are non-related printers installed on the machine. (for example: HP, Konica Minolta, Xerox)
To clean the print drivers you should follow the following steps:
1. Run cmd > net stop spooler
2. Clean up the registry: In the following registry key, Remove all unwanted subfolders but leave the Microsoft and PDF print drivers. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environment\Windows x64\Drivers\Version-3
3. Clean up drivers folder. in below folder Add a extra vieuw column in explorer named “company” C:\Windows\System32\spool\drivers\x64\3 Remove all .dll files from HP, Konica Minolta, Xerox You might want to kill tasks which are holding these dll files using task manager
4. Run cmd > start net spooler
5. Run printui /s /t2 Check if there are still printers installed which needs to be removed, and if needed remove them from here.
The below instructions are meant for Third parties on accessing the authorized systems inside Vistra network. You can also use the attachment to inform the autorized parties.
Click on the following application and accept the policy agreement. Note: You need Citrix receiver installed. If you are visiting the website on the a non-Microsoft web Browser you need to manually run the downloaded Citrix connection File after download.
Login with the same windows credentials in the next screen:
If you followed the above steps correctly you should see the Bomgar Console in your screen:
You will see the servers which you can request access for. Double click on a server to request access. Describe the reason for this connection and the time you need for this session. The required approver will receive an email which needs to be approved first.
Once approved you will get a popup inside the Bomgar Console which indicated the session is approved.
Inside Bomgar console, double click on the approved server again to start an RDP session. Login using the same windows credentials in the below popup
If you have followed the steps correctly you now have an RDP session to the server:
3) Click “Manage Users” then click “Browse Employees”
4) Now you can view all the employees you can now perform a comparison yourself between the Sharefile database & the spreadsheet (\\work.local\itsupport\Global\Sharefile Licensing) under the “CHE” Tab on the spreadsheet.
5) If you notice any users that are on the Sharefile database but aren’t on your spreadsheet then add them to the spreadsheet so you have a complete mirror comparison as the Sharefile database.
6) Once you have completed CHE you can now move onto doing the same check for LUX Vault by logging into - https://luxvault.sharefile.com(Log in details in Password Database)
7) Click “Manage Users” then click “Browse Employees”
8) Now you can view all the employees you can now perform a comparison yourself between the Sharefile database & the spreadsheet (\\work.local\itsupport\Global\Sharefile Licensing) under the “LUX” Tab on the spreadsheet.
9) After you have checked all the staff please ensure you do a total (As shown below) on both CHE & LUX.
10) Final Part - Click on the Licences tab, browse to - \\work.local\itsupport\Global\Accounts\OrdersIndex & update the spreadsheet with any recent purchases of Sharefile licences for both CHE & LUX. Task Complete
in FOG enabled offices, building/reimaging PC's are done though Image deployment using FOG server. This guide will explain how to use FOG to Deploy images to new and used machines. It is important however to remove existing PC's from Epolicy(EPO).
Process Summery:
The following steps are taken place to deploy a PC.
Registerhost/s by either preferred method
Through the PXE menu by choosing the option: Perform Full Host Registration and Inventory
Postimage: Wait until PC is up and run the postimage
Drivers: After reboot run the autoinstall drivers.
McAfee: move the host in McAfee Epo to the right group
The next part of this KB will explain the above steps in details. the preferred method is using PXE menu.
Detailed process:
The below detailed instructions explain how to deploy an image. NOTE!!: when buying PC's in batch, make sure the supplier is pre-enebling the below and providing you with a list of MAC-addresses.
In Bios change the setting to allow NIC and PXE booting. You also need enable NIC in boot sequence:
Boot the PC using F12key and select boot to NIC.
keep pressing the ARROW KEYS to avoid the machine skip the FOG PXE. untill you see the below menu.
Depending Whether the PC is new or used you should see the following screens. You need to Register new PC's First before being able to Deploy image on. Follow the steps:
New Machine Register and deploy
Used Machine Deploy
Upon selecting the Full host registration a Wizard will guide you through the process:
Type in the PC name (example: AMSWRK###)
Select the latest Image file (use ? for help)
type Y and Select the Correct Group (use ? for help) Example: AMS
Type N for Product Activation
Y for adding to AD
Leave the Primary user blank
Leave TAG1 and TAG2 blank
Y for deploying the imaging in to this PC
Enter your FOG Username and Password.
Force Shut down PC and start via PXE again.
Image will download to the PC now. Wait until you see the desktop. or are able to login using your domain account.
From desktop Run the green postimage icon shown in the right column.
Login with an admin account and run the autoinstall driver script from sources twice
Move to activate and Encrypt the PC in MacAfee Epolicy from lost&found>Workgroup.
After selecting Quick Image follow the below steps to Deploy the Image to this PC:
Enter your FOG Username and Password
Image will download to the PC now. Wait until you see the desktop. or are able to login using your domain account.
From desktop Run the green postimage icon shown in the right column.
Login with an admin account and run the autoinstall driver script from sources twice
Move to activate and Encrypt the PC in MacAfee Epolicy from lost&found>Workgroup. remove any double hostnames.
From here, login to the amssrvprn001 -> open Equitrac Office Manager -> select the printer and full in the correct Admin ID and password -> Initialize. This will take up to 5 minutes, the printer will be rebooted
Depending on the User's Function add the admin username in on of the below AD groups:
Application - IT - Vistra Group - Bomgar ITreps Application - IT - Vistra Group - Bomgar ITreps CEE Application - IT - Vistra Group - Bomgar ITManagers Application - IT - Vistra Group - Bomgar BSreps Application - IT - Vistra Group - Bomgar BSManagers
How to support users with Bomgar
There are different ways to support users using Bomgar. Please decide the best possible method depending on the situation and below chart:
link to support Portal: https://nlremotesupport.vistra.com/
This method is the fastest and easiest support method. "Jump Client" is a bomgar client tool which runs on Windows clients and is deployed through GPO. The current available offices are Amsterdam and Luxembourg. This feature will expand in other offices. Once this is done the pc will be available right from the Rep console. Unlike Jumping to a PC this method does not need installation which saves you time on connection
Search for the computer inside your Rep. Console.
Check if the right person is behind the pc:
Double click or hit button to remote connect.
Jump to:
In case the Jump client is not deployed or missing you can also manually run it:
in Rep console click on top of the screen on Jump to...
Select the correct JumpPoint where the PCin that Hub.(example: Jersey for LDNWRK pc’s)
If login screen appears. Login using your admin account.
Ask for user to accept.
Support Portal - Select Engineer
This method works best for following situation - The client is outside Vistra's network - Non of the previous methods works for clients
Users have the below red marked print queues in Amsterdam which they receive through GPO on logon. These print ques are installed on AMSSRVPRN001 and are virtual print queues. The physical queues are also installed on the same server. Equitrac database and services are installed on the same server. The services depends on windows standard services. example: DNS client service
When a user prints to these printers, the job will be held on the server until the same user authenticates on a printer. The job will then be forwarded to the physical print queue which is also installed on the same server. On the server use this shortcut to see the held jobs. You need to open the window from the taskbar after running this shortcut.
Card authentication: A new user needs to swipe hes/her schiphol pass and login using the same Windows username and password to register the pass(card)
Alternative authentication: In case the user don't have the Schiphol CARD, an alternative pincode may be needed to be created using the following steps:
On AMSSRVPRN001 run the following shortcut as administrator and connect to locahost
In the new window click on Users(A) and select the user by clicking (B)
Enter a unique 4 digit number(C) hit OK and give this pin to the user.
Troubleshooting
Users are having Printing issues:
Check weather there are services not running and restart them if needed. restarting should not give any error. In case you get dependency errors, check event viewer to find the missing/stopped windows services and start them accordingly
The authentication issues refear to EQ DCE Service
The printing jop issues refear to EQ DRE service
Cleaning the queue:
Use this only if the problem accures on all the printer and the above solution does not solve the issue.
Stop EQ DRE Service
Clean spool folder C:\Documents and Settings\svcamsprn\Local Settings\Application Data\Equitrac\Equitrac Platform Component\4\EQDRESrv\EQSpool
Start EQ DRE Service
Printer Inventory Amsterdam:
7th Floor
Entrance Left = 10.40.30.71 Entrance Right = 10.40.30.72
Pantry Left = 10.40.30.73 Pantry Right = 10.40.30.74
HR Left = 10.40.30.75 HR Right = 10.40.30.76
8th Floor
IT Left = 10.40.30.86 IT Right = 10.40.30.85
Support = 10.40.30.87
Entrance Left = 10.40.30.81 Entrance Right = 10.40.30.82
Pantry Left = 10.40.30.83 Pantry Right = 10.40.30.84
Mapped drive are assigned through Group Policy Objects across sites, devices, groups and in some cases even specific users. the following instructions explain how these policies are assigned and how to look at the attached sheet in this article.
The mapped group policies are assigned in multiple layers. See the corresponding Sheet columns (X) below in red. Please read the explanation and scroll down to download the excel sheet.
Sheet Column
Explanation of each Column
(A)
group policy name (GPO)
(B)
What drives letter/s GPO is mapping (marked red if not unique)
(C)
Each drive letter has its own UNC share path. Note: a drive letter might be used for more than one share. these drive letters are marked red in the sheet.
example: T drive in office A might be different to T drive in office b (different path)
(E)(F)
The GPO will apply to the specified group/s and/or user/s
(H)(I) (J)
The GPO is linked to 1 or more OU container in AD.
(M)(O)
filter: Even when you are part of the groups mentioned, sometimes you do not get the mapped drives required. This is because in same cases you also need to be part of more than one group to get that GPO applied to you.
(L)(N)
The columns indicates if is mandatory or optional (required either of the groups or both)
Please be advised that Policyhub uses SSO (single sign on) which connects to our ADFS (Active Directory Federation Services) server located in Amsterdam.
For the SSO process to work in IE we have deployed IE settings via a group policy. If you receive the below you will need to look at why the policy has not worked\applied however you can manually configure IE with the below settings to get SSO working:
Let either Wendy or Maro know if you have any further questions.
Example: Authentication prompt when IE Settings are incorrect
Mapped drive are assigned through Group Policy Objects across sites, devices, groups and in some cases even specific users. the following instructions explain how these policies are assigned and how to look at the attached sheet in this article.
The mapped group policies are assigned in multiple layers. See the corresponding Sheet columns (X) below in red. Please read the explanation and scroll down to download the excel sheet.
Sheet Column
Explanation of each Column
(A)
group policy name (GPO)
(B)
What drives letter/s GPO is mapping (marked red if not unique)
(C)
Each drive letter has its own UNC share path. Note: a drive letter might be used for more than one share. these drive letters are marked red in the sheet.
example: T drive in office A might be different to T drive in office b (different path)
(E)(F)
The GPO will apply to the specified group/s and/or user/s
(H)(I) (J)
The GPO is linked to 1 or more OU container in AD.
(M)(O)
filter: Even when you are part of the groups mentioned, sometimes you do not get the mapped drives required. This is because in same cases you also need to be part of more than one group to get that GPO applied to you.
(L)(N)
The columns indicates if is mandatory or optional (required either of the groups or both)
check the availability and select the correct domains and click on order
fill out the details:
Purchase Order Number – take this from IT order spreadsheet
Client – Select ‘Client Domain from list’
Division – Select office location for domain
Name Servers – this should always be Com Laude Global Servers for client domains
Registrant – this should always be Com Laude local presence for client domains (refer to example4 below)
Admin – this should always be Domain Administrator Com laude for client domains (refer to example5 below)
Comments – Add in any required comments
Requested by – Name of staff member requesting domain
Client Entity Number – This is the number from the offices business system for example viewpoint \ SAP
Services provides – enter the domain services i.e. email\website
Register immediately stops Com Laude check – note country domains usually take 2-3 days to register therefore this is only applicable for domains like .com
click on order:
check domain:
Group - Provision Mobilepass token to user on SAS portal
Check if you get the binary (exe files) in C:\Program Files (x86)\gemalto - Corrupt REG keys / insufficient access result in faulty installations and end up with insufficient amount of files(no exe files) (use M$ FIX it)
Add site to trusted zone and change the zone to accept any kind of ActiveX and set it up to low (Say Yes on the warning).
Make sure older versions are gone(setup path and IE addon) and clear java cache from control panel.
Check whether IE is running 32 bit mode through task manager (starting from the right path is not enough) Reset IE and delete cookies (don’t delete favorites/forms/password)
2) Launch “Viewer” on your desktop. Can also be found in (C:\Program Files (x86)\Canon Remote Operation Viewer 2.0).
3) Enter the IP Address of the Printer you want to connect to & click “OK” JERMFD01 – 10.4.30.101 JERMFD02 - 10.4.30.102 JERMFD03 - 10.4.30.103 JERMFD04 - 10.4.30.104
4) Password can be found in the password database under.. (Vistra/Jersey/Printers/Remote Assisting MFD Uniflow Screen)
5) You will now see the interface of the printer, you can watch what the user is attempting to do if they are experiencing a problem.
6) If you would like to log into the machine as an admin click “PIN Code”
7) You will be able to log into the admin interface of the printer. Password can be found in the password database under.. (Vistra/Jersey/Printers/Uniflow Admin Password)
Uniflow Jersey - Assigning a temporary pin RP 18/11/2015
1) Remote desktop to “JERSRVPRN01”
2) On your desktop you will see the below. “Uniflow Server Configuration”, Launch this.
3) Click “Continue to this website”
4) You will be asked to log in, click on the PIN option on the right hand side & the password to log in is in the Password DB.
5) You will then be able to see the Uniflow interface, click “Base Data” on the right hand side, then click “User”.
6) You will now be able to see all the users that are imported in Uniflow.
7) To search for the user that has forgotten there access card & needs a temporary pin code to print use the below highlighted filter function to search for the user.
8) Once you have found the user you want to assign a temporary pin code click on the user
9) Click “Add Identity”
10) Under the “Identity Type” you will see a option to choose called “Pin Code”, choose pin code.
11) Set a Pin Code under the “Value” column & click “Add Identity”
12) Click “Save + Back”
13) Set a reminder to remove the PIN Code the next morning.
14) Click the RED Cross (as shown below) to remove the pin code from the users account
current version 1.33_1611215 There is now a tool with GUI available to manage out of office for users. The following instructions explains running and using this tool.
Running the tool: Login to one of the admin servers and Run the OOO_v1 program from desktop:
AMSSRVADMIN001 (fastest)
LUXSRVADMIN01
JERSRVADMIN001
ZRHSRVADMIN01 (little slow)
HKGSRVADMIN01
<-icon
Using the tool: The basic workflow is: - Request the user from exchange - change his/her setting and message - Save changes
See the screenshot below. Each red marked number refer to the step below.
Optional: use the corresponding SRVEXC / USER / SRVAdmin for connection to get fast responses.
check your server and Click login. You will see a notification when this is successful: "Logged in successfully, there you go!"
Start Typingthe person's name / username in the DropDownfield. There is some auto complete functionality which you'll notice while typing.
Hit the "Show Stat" button to request the current Out of Office setting of that particular user.
Enable/Disable the out of office as requested.
Set internal/external/date options as requested.
Fill in the internal/external message as requested. (type Arial for font)
Save Changes
Hit Show Stat(3) to review the changes being applied and use the red icon on the top right corner to exit.
Pixel Building - Connection 1st floor <-> 4th floor
POST has installed a new small switch for the IP Telephone
Ports information on the panel
Port1 internet - small switch netgear gs205 Port2 ip tel - switch post ip tel LEBC Port3 ip tel - switch post small ip tel Vistra Port4 vistra network - port1 cisco switch
To upgrade EPO from 5.x.x to version 5.3 you have to follow the bellow steps :
CAUTION : Do not upgrade from 5.1.2 to 5.3. In this case go thru an intermediate version first (5.1.3 for example)
1/ Verify that the EPO SQL database has been backup correctly and create a checkpoint of the EPO server.
2/ Delete the temporary / log files of EPO software:
-Stop EPO services.
-Delete the file under the bellow folders:
<ePO_installation_directory>\Server\Temp
<ePO_installation_directory>\Server\Logs
<ePO_installation_directory>\DB\Logs
<ePO_installation_directory>\Apache2\Logs
-Start the EPO services
3/In the folder "UpgradeCompatibility" of the EPO package you downloaded , run the "UpgradeCompatibility.exe" file and install the needed modules on the EPO server.
4/ Once "Upgradecompatibility.exe" states that the system is upgrade ready , Run the "Setup.exe" of the EPO package
5/ Verify that all the jobs are working (repository update, build new PC, encryption..)
Barcelona - install Agencia Tributia Canaria models
Blue Coat tracks questions and requests for assistance for warranty and support contracts through a Service Request (SR) process. This is typically done by contacting a Global Support Center, or by opening a Service Request through the customer support portal, BlueTouch Online. As SRs are opened, technical information about the product, environment, and customer site will be collected, and a “service severity level” is assigned for each case.
The service severity is defined by the problem type and technical impact, and plays an important role by setting the initial response time, update frequency, and as guidance for the time to escalate issues to a higher level. By setting severity levels, Blue Coat is able to balance its resources for all customers, and to allow timely resolution of technical issues.
In the interest of customer satisfaction and efficient case management, a “duty manager” is on call 24x7 as a resource to assist customers who may feel that the severity of their issue has not been accurately characterized, or the response has not been within the stated timelines.
Severity Definitions
Severity Level
Severity Description
Severity 1 (Critical)
Network or application outage, network/application is "Down", no workaround.
Critical customer business operation is fully impaired by iadequate performance.
Impaired functionality, critically impacting customer's business operations.
Severity 2 (High)
Operational aspect of network or applications is severely degraded.
Continuous or frequent instabilities affecting customer business or network operations.
Inability to deploy a feature, function or capability.
Successful workaround in place for a severity 1 issue.
Severity 3 (Medium)
Performance of the network or application is impaired with limited impact to business operations.
A functional, stress or performance failure with a workaround.
Successful workaround in place for a severity 2 issue.
Severity 4 (Low)
Operational issues for certain features/capabilities with no impact to business operations and no loss of functionality.
General "how-to" questions.
Documentation/process issues.
Response & Escalation Times
Severity Level
Response Time *
Escalation Time **
Update Frequency
Severity 1
Immediate
2 hours
Continuous
Severity 2
1 hour
24 hours
Daily
Severity 3
8 business hours
5 business days
Weekly
Severity 4
3 business days
10 business days
Weekly
* S1 and S2 problems must be logged through the Global Support Center by telephone, or immediately followed up by telephone if logged through BlueTouch Online, to help ensure the response time target is met.
** Blue Coat will make every reasonable effort to resolve the reported customer problem, provide a work-around or escalate to the next level within the times listed. Blue Coat makes no commitment to resolve an issue within a specific time.
Response time is the time between initial contact and active engagement by a support engineer or duty manager. The response times stated here are targets only. Actual response times may vary.
Severity 1 requests are responded to on a 24X7 basis.
Severity 2 requests are responded to on a 24x7 basis, as agreed to between the customer and Blue Coat.
Severity 3 and 4 requests are responded to during normal business hours for the region where the SR was originated.
Case Escalation
To expedite the resolution or elevate the severity of a reported problem, Blue Coat encourages customers to contact the on-call duty manager. This can be done by making the request to the customer support engineer to whom the case is assigned or by calling the 24/7 global on-call duty manager contact line at:
+1 (408) 541 3700 (Worldwide), or additional toll-free or local phone numbers in select countries.
The duty manager role is not intended as a replacement to the existing Blue Coat support processes, rather a resource customers may turn to for additional management focus.
Preparing Your Request
When contacting the duty manager, please be ready to provide:
A current, active Service Request number
Clear contact information in the event of call-back which includes: > Primary contact name > Primary contact telephone number > E-mail information > Alternative contact(s) in the event of unavailability of the primary contact
Failure to provide this information may result in longer response times.
X-Series Case Handling Procedure
The objective of the escalation and notification process is to:
Ensure timely resolution of all customer situations
Provide a means of properly prioritizing problems
Provide management awareness of product and customer issues
Ensure proper resource allocation to meet End User problem resolution requirements
Provide assurances that Blue Coat is focused on providing timely resolutions to technical issues that impact the End User’s business operation.
By selecting the proper Priority, Blue Coat can ensure that high priority issues receive immediate attention. Making the proper selection is very important to the way Blue Coat processes incoming service requests. An improper selection may result in delays in the initial response time f or critical situations. Please use this selection with extreme care.
PRIORITY: The service engineer receives input from the End User on the impact of the issue on the End User’s normal business operations, and the service engineer sets the priority field to the appropriate level. These priorities will drive escalations outlined below. Blue Coat has implemented business notification rules based on these priority definitions. It is extremely important to fully understand a TRUE Business Impact of the issue and assign appropriate priority to a reported problem. Priority of an issue may change even while a case is open.
Priority 1 – Major business disruption Priority 2 - Significant business disruption Priority 3 – Minor business disruption Priority 4 – Minimum to No business impact
For Priority 1 problems (i.e. system outage) with Blue Coat hardware and software products (X -Series), our resolution goals and escalation time frames are as follows:
Response time goal - within 30 minutes
Restoration goal (workaround) - 24 hours
Replacement of HW component - Based on service plan
Temporary product fix (patch release or firmware upgrade) - 5 to 10 days
Permanent fix (maintenance release) - 60 to 90 days
For Priority 2 problems with Blue Coat hardware and software products (XOS and COS), our resolution goals and escalation time frames are as follows:
Response time goal - within 2 hours
Restoration goal (workaround) - 72 hours
A permanent solution will be incorporated into either a patch release or the next maintenance release.
For minor problem reports, our goal is to respond within 24 hours and provide a workaround or temporary solution within 10 days. A permanent solution will be incorporated into either a patch release or the next maintenance release.
Note: These resolution and escalation goals and time frames do not apply to third party software applications. Product enhancement requests will be submitted to our product management organization for consideration for the next major software release.
In order to properly characterize and diagnose reported problems, it is necessary for Blue Coat to have the required information indicated below available. This will allow a thorough investigation to take place. The following lists define the minimum sets of data to be collected at the time that a new issue is being reported to a Blue Coat Systems Support Center.
Detailed description of the issue
Description of troubleshooting that has already been completed
Time line of the problem
Description of business impact
“show-tech-support” output from X-Series platform and “cos-tech-support” output from C-Series platform. In a DBHA environment, information should be provided from both chassis.
/var/log/messages files from chassis. In a DBHA environment, information should be provided from both chassis.
Recent upgrades / downgrades for hardware and/or software
Console output from CPM/APM if available
Basic routing information
TCPDumps, other traces if available
In addition to above information, the Blue Coat support organization may request additional information to aid in the resolution process.
Screening Deployed is mainly used in Compliance departments. The data is saved on XXXSRVSD### servers and the client is either located on Citrix servers or locally on the some of the machines.
Client SETUP
To setup a new pc you need to install the client and create a SQL ODBC
Install MSI from \\amssrvfs001\sources$\ScreeningDeployed5.6_32 and select Client in the wizard
Open DBDescribe.xe from c:\Program Files (x86)\Screening Deployed and ask the senior of the team for the right settings.
-Database name: TMS5 -User: sa (sql instance) -Pass: ask the senior member of the team
ODBC SETUP
Depending on the machine run:
(x86) C:\windows\system32\odbcad32
(x64) C:\windows\sysWOW64\odbcad32
if connection missing create new iser DSN DATA Source > Select SQL Server with the following connection strngs: - Name: TMS5 - Description: NL Screening Deployed - SQL username: amssdws - Password: password manager
change default database to TMS5
enable use ANSI quoted identifiers and ANS nulls, paddings, and warnings
test the connection in the end.
Create secure connection (if the application is not working)
1. Open C:\program files (x86)\screening deployed -> DBDescribe.exe
2. Fill in all of the settings as below:
DSN: MLTTMS5 (Or the relevant data source name for the jurisdictions SD) DST: SQL Server Schema: dbo Owner ID: sa Owner Password : SA Password for the Screening Deployed SQL DB
testing software
Open Investigator application: ("C:\Program Files (x86)\Screening Deployed\investigator.exe) – 64bit PC ("C:\Program Files\Screening Deployed\investigator.exe) – 32 bit PC
RDP to the “Rubis” server and log in with your Admin account, and do the following
Demarrer
Tous Les Programmes
Core FTP
Core FTP Pro
If this is the first time you will use Core FTP then you will need to do the following to set up the connections to each bank
Creating a connection to LODH
When you open Core FTP the “Site Manager” will appear enter the following details.
Password is in the PW manager
Downloading and Extracting LODH files
a) From the site manager click on the LODH site and then connect
b) then in the right hand pane you will see an “in” and “out” folder please choose the OUT folder
c) within the left hand pane select the button, this is going to specify the location on where the files will be downloaded to.
For LODH choose the following location “D:\CPS\Interfaces\LODH\FTP”
d) from the right-hand pane within the OUT folder you will see “.exe” files. Each file shows the date and time it was uploaded. You will need to download all files from the time the download was done the previous day up to the current time and date. Note the time you did the download on the Daily Tasks spreadsheet.
For example, if the previous day's download was done at 13:00, you will need to download everything after 13:00 for the previous day, and all files for the current day.
Arrange the right hand pane by date then select all the “.exe” files from the current day, and all files that arrived after yesterday's download was done.
This will download the exe files into the location specified in part C
Once downloaded you will see the flies in the left hand pane
e) now use Windows explorer to UNC to D:\CPS\Interfaces\FTP
Each one of these files in Encrypted with the same password, this is also in the PW manager
Do the following to encrypt
Click on the file and WinRAR will open, keep the default location (if this is changed the file will not be uploaded into CPS) and click install
You will then be asked for the password (it’s in the PW manager)
Click OK and it’s done.
Now do the same for all the files for the day.
Once the have been extracted I usually move the .exe from of the day from the root of the FTP folder into “Nouveau Dossier” just to keep it clean.
How to install/change Internet Explorer Search engine.
Bluecoat happens to break google dynamic search results for some of the users. (even inside citrix) The webpage shows blank results When you use google search.
Workaround
Change Internet Explorer’s default search engine from Bing to Google. (see below image)
Internet Explorer address bar will now work the same way as Chrome address bar.
Explain the user how easy it is to search without actually going to google
To block a sender, you can go to Directories, Groups, Click on the Blocked Senders folder on the left hand side, select the Build button and add the email address or domain.
When you contact Mimecast via phone, you will be asked for our Mimecast ID and account code which can be found in the below screenshot. If you are asked for a security passphrase, this is available at the bottom of the ‘Dashboard’ when you login to the Mimecast Console and also in the the Password Manager under ‘Mimecast Security Passphrase’.
There is also a comprehensive knowledgebase available at the following link:
When deploying to a laptop please following the below instructions step by step!
BIOS Settings:
Ensure the following things are set in the BIOS, this may differ by manufacturer, some options may be in different places or not available.
1 - Disable TPM (The on-chip encryption function, McAfee is not compatible with this)
2 - Disable Secure boot
3 - Set boot mode to Legacy
4 - Set SATA mode to AHCI
5 - Set the BIOS (Admin) password to a random password, and store in a notepad file along with the encryption key (see this step later)
Installing McAfee components.
2. Log into the PC and make sure the following accounts are set up and part of the Administrator group.
Europe-IT ---> tsurt
User -------><random password, store this in the notepad file with the BIOS password>
3. Copy the contents of the folder "Offline Encryption - Autoboot" from \\amssrvfs001\sources$ to a USB stick.
4. Place the USB drive into the laptop and copy the contents of the folder to the root of C:
5. Go into the folder and open the "txt" and confirm it contains the following:
User:password
Europe-IT:password
If not, change it to match the above. DO NOT CHANGEthe password part of the text.
6. Now open and command prompt and UNC to "C:\Offline Encryption – AutoBoot" (For windows 10 shift right click to open windows PowerShell and command prompt from there.)
There should be a txt file called "Offline Activation" this will have a command within it, copy this into the CMD and run it.
7. If you now look under "C:\Offline Encryption – AutoBoot", 2 extra files would have appeared,
ESOfflineActivateCMD
OfflineActivation
8. To install the software follow the below and make sure that you install in the specified order for the encryption will not work!
Browse to C:\Offline Encryption – AutoBoot
Run "FramePkg" – This installs the Mcafee Agent
Open the VSE880LMLRP6 folder and run "SetupVSE.exe" – This installs the Anti-Virus
Open MfeEEAgent folder and run "MfeEEAgent64" – This installs the Drive Encryption Agent (If it’s a 32 bit machine which is unlikely, run MfeEEAgent32)
Open the MfEEEPC folder and Run "MfeEEPc64" – This installs the Drive Encryption Driver
After this is completed in order the Laptop will need a restart
9. Browse to C:\Offline Encryption – AutoBoot and run "Offline Activation"
A CMD box will appear and you will see it start to activate,
To confirm the process has started right click the McAfee agent and go to "Show Drive Encryption"
10. Upon restart, the laptop should go to the endpoint encryption login page. You will need to create security questions and passwords for both windows accounts.
**If the laptop gets stuck and will not boot, go into the BIOS, open System Configuration>SATA Operation, and ensure that ‘AHCI’ is selected. The laptop should then boot normally.**
11. Login first with the ‘Europe-IT’ account, the initial password will be set to 12345. Change this to match the windows account password.
12. You will then be asked to set 3 security questions, set the answers as follows:
What is your Favourite colour: Red
What is your Favourite song: dont worry be happy (this should be exactly like this, no punctuation)
What is your Favourite food: Steak
Then login to windows
Restart the laptop again, change to the ‘User’ account and log in with 12345, change the password to LetMeIn , and then if possible ask the user to set their own security questions. If they are not available, set them to different answers and provide the details to the user when the laptop is handed over.
Then login to windows.
13. Copy the laptop encryption key "EERecovery" from C:\ to a folder named with the laptop name to the USB stick, also copy the notepad file containing the passwords, then copy from USB to the following location on AMSSRVEPO001:
Share file Licencing - Quarterly Task 1) Log into - https://chevault.sharefile.com (Log in details in Password Database)
2) Click “Manage Users” then click “Browse Employees”
4) Now you can view all the employees you can check the users which don't have login in more then 3 months
* DO NOT email EX CO members, directors and IT staff!
like Martin Crawford, Ad de Beer, Walter Stresemann, etc
5) email the users and save the emails here:
see attached email that you can use as template
\\work.local\itsupport\IT Support - Europe\Procedures\IT Quarterly Tasks\Sharefile license check\Q1 2016\sent emails
6) wait for replies and saved the emails here:
\\work.local\itsupport\IT Support - Europe\Procedures\IT Quarterly Tasks\Sharefile license check\Q1 2016\received emails
7) if they don't use sharefile anymore
- reset the password
- downgrade the account to client
6) Once you have completed CHE you can now move onto doing the same check for LUX Vault by logging into - https://luxvault.sharefile.com(Log in details in Password Database)
general link
\\work.local\itsupport\IT Support - Europe\Procedures\IT Quarterly Tasks\Sharefile license check
please update the license sheet as shown in the monthly task https://itsupport.vistra.com/hc/en-gb/articles/207282665-Share-file-Licencing-Monthly-Task-M17 Task Complete
Zurich - install / update module (Kanton) in drTax 3.0
The below guide gives you a summery of required steps to install and configure an bare metal HP Server. This guide is divided in the below tasks
Hardware prep
Host prep
Disk prep
OS prep
Os configure
Domain joining
Additional installs
Hardware prep
Before starting the software. in some cases the hardware supplier does not provide you with a server with decent installed component. In this case the server will be delivered including all the parts boxed separately. You need to install the component manually by removing the server tray.
HOST prep
Before patching the server into the network start by finding the appropriate name and IP adress for this server. The best way to do this is by pinging the same range and finding an unused ip. The ILO port will also be the next ip so make sure the next ip is also availble. use the ILOSERVERNAME as ILO hostname (replace servername with HOSTname)
To find the right range and amount please review a server with the same job in the network. Boot the server and hit the appropriate key (shown on screen) to boot in the ILO configuration and configure the ILO port. Activate the ILO license once you have access to it from your own desktop. Make sure you
Disk prep
using the ilo boot into hp array configuration utility where you can configure the disks before starting the OS installation. Please see below Vistra's Standard Disk array configuration:
- Raid 1 - existing out of two smaller size Disks to host the OS
- Raid 5 - existing out of four bigger sized disks to host the application/DATA
OS prep
Once you have done the necessery, you are ready to install the OS into the first raid. to install an OS you need to mount the appropriate ISO from the ILO web page to be able to boot into it. Remember to mount the ISO from a closed by HOST to prevent bandwidth tresholds. Start installing the OS once the ISO is booted. Use the OEM key (sticker on Server) if you have a licensed machine and use a Volume Licnese key if this machine is not licensed yet.
OS configure
Once you are finished installing the OS you will need to configure Vistra's required configuration. Once the OS is running start configuring the below counterparts:
Setup the Hostname
NIC (teaming atleast 2)
assign IP
Install the Drivers
Set Timezone
Install UK and US keyboards
Disable firewall
Activate windows
Update windows
Server manager > disable IE enhanced Security Configuration
Domain Joining
Once you are done configuring the above, it's time to Join the server to the domain. make sure you have local admin privileges before doing this. follow the below steps.
Create an AD Computer object in the appropriate OU
Join to server to the domain, restart the server and login again as local admin
Depending on what this server is going to do, Add the security group required for this Server Role.example: Security - IT - Amsterdam Screening Deployed Administrator
Additional install
For a server to run secure, monitored and licensed properly, you need to install the below software components accordingly.
MCafee: Deploy agent and VSE using EPO (add host to the tree)
Opsview: Install opsview client, change the service account to work\svcopsview and configure the host in Opsview (see: KB here)
Snow: install the setup found in sources$
Your server is now ready to use and you can install and configure additional roles, features, applications as needed to use this server.
Please find the below instructions useful for troubleshooting issues with adding/installing printers.
Error message:
Windows cannot connect to the printer 0x00000057
Troubleshooting:
1) On a machine with the same driver installed (and working properly), open Regedit, and browse to:
HKLM\System\CurrentControlSet\Control\Print\Environments\Windows NT x86\Drivers\Version-3\
2) Locate the subkey for the printer driver you are dealing with and click the key for the printer driver.
3) Look for the “InfPath” on the right. Note the path.
5) Now browse to C:\Windows\System32\DriverStore\FileRepository and locate the folder indicated in the InfPath reg value.
6) Go to the users computer exhibiting this behavior, and browse to C:\Windows\System32\DriverStore\FileRepository and see if the folder is present. In my case, the folder was present, but empty. If it is here and it is empty, you will have to modify security on the folder, first taking over ownership, then granting yourself full control.
7) Once security is granted, copy the contents of this folder from a good machine to the machine presenting the 0x00000057.
Please try now to add/install the printer again and it should work normally.
In Windows 7 x64 or Windows Server 2008 R2 the Mail (32-bit) applet shows a blank icon & does nothing when you click on it.
However if you run it manually using the following command it runs just fine.
c:\Windows\SysWOW64\control.exe mlcfg32.cpl
Use the following steps to resolve the issue.
Close the Control Panel.
Open Regedit & browse toHKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Control Panel\Cpls.
Right click mlcfg32.cpl & select Modify.
The current value will be something like C:\PROGRA~2\MICROS~2\Office14\MLCFG32.CPL. Note that the path may be different in your case depending on where Office is installed.
Change any single character in the path then click OK. (e.g.C:\PROGRA~2\MICROS~3\Office14\MLCFG32.CPL.
Close Regedit.
Now open the Control Panel & notice that the applet is gone.
Close the Control Panel.
Open Regedit & browse toHKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Control Panel\Cpls.
Change the value of mlcfg32.cpl back toC:\PROGRA~2\MICROS~2\Office14\MLCFG32.CPL.
Close Regedit.
Now open the Control Panel & notice that the applet is back & the icon is displaying properly.
Sometimes remotely reaching an ARCSERVE UDP agent webpage (https://server:8014) gives you the below sad face:
Cause:
This is because some older agent versions running on our hosts have an insecure DSA 128 SSL key which is hackable. It affects agents all releases from D2D r16/16.4 ro UDP version5 update 3.
Solutions:
You need to sign a new SSL key and mount it to Tomcat on the server.
Unable to open PDF files in Internet Explorer with PDF Converter Professional 8
Problem:
When attempting to open a PDF file in Internet Explorer, one of the following circumstances may occur:
The file may is be displayed
Internet Explorer flashes in and out of focus
An error message appears
Cause:
The following are the main reasons why PDF files cannot be displayed properly within the PDF Converter Professional Web Viewer:
The security settings of Internet Explorer block the PDF Converter Professional web viewer from launching successfully.
A failed installation of the PDF Converter Professional web viewer.
Incompatibility with the design of a website.
Note: Some websites are specifically designed to use Acrobat for displaying PDF files. These sites will not work with PDF Converter Professional.
Solution #1:
Ensure that the Internet Explorer security settings are not set to "High". The "High" security setting can block the PDF Converter Professional Web Viewer from loading. Follow these steps to adjust the Internet Explorer security settings:
Click "Start > Control Panel".
Select "Classic View" on the left panel if it isn't already enabled.
Double-click on the "Internet Options" link.
Select the "Security" tab and then click the icon labeled "Internet".
Adjust the security level to "Medium-high" or lower.
Note: If there is no slider available, click the "Default level" button to enable the slider.
If the PDF Converter Professional Web Viewer is still failing after adjusting the Internet Explorer security settings, unregistering and re-registering the Web Viewer may resolve some issues. Follow these steps to re-register the Web Viewer:
Close out of all applications, especially Internet Explorer.
Click "Start > Run" to open the run dialog. It is also possible to use the "Windows Key + R" keyboard combination to open the Run dialog.
Use the command below to unregister the Web Viewer. The path will need to be adjusted if PDF Converter Professional was not installed to the default location:
regsvr32 /u "C:\Program Files\Nuance\PDF Professional 8\bin\GPlusDocServer.ocx"
A dialog will appear stating that the unregister server succeeded. If any other message appears, check that the file location is correct.
Open the "Run" dialog again using the same method in Step 2.
Use the second command below to re-register the Web Viewer. The path will need to be adjusted if PDF Converter Professional was not installed to the default location:
regsvr32 "C:\Program Files\Nuance\PDF Professional 8\bin\GPlusDocServer.ocx"
A dialog will appear stating that the register server succeeded. If any other message appears, check that the file location is correct.
If after following Solutions 1 and 2, PDF files still cannot be opened within Internet Explorer, it may be an incompatibility with the website design. In this case, we recommend unregistering the Web Viewer and leaving it disabled. When accessing a PDF file with the Web Viewer disabled, a message will appear prompting the user to open or save the file. Clicking "Open" will open the PDF file within the PDF Converter Professional application, rather than the Web Viewer. Clicking "Save" will prompt the user to specify a location to save the file to.
Note: To unregister the web viewer, follow Steps 1 through 4 of Solution # 2. Do not re-register the Web Viewer by completing the remaining steps.
Install \\cypsrvsql001\Unity\Setup\setup.exe Follow the steps of the Install Wizard. At the end of the install a progress screen like the one below in the screen shot will pop up and should contain lots of green ticks. If this is not the case then please use the button at the top of the screen to copy the text and paste it into an email and send it to Unity support for review.
If the install was successful you can now open Elements. Under Start -> All Programs -> Unity Software you should find two databases: 'Unity Elements' and 'Unity Elements Test'
Please open one of the two databases and ensure you can:
Log in.
Load an entity by double clicking on one from the All Live Clients list.
Check to ensure that on load of the entity the Entity Summary Report has opened.
Load a second entity by clicking on the entity search icon at the top (Unity Logo).
Remove old shortcuts and create new ones
Run unity and let the user test it
Move on to the next PC
Additional information (Troubleshooting)
IF there is any issues regarding the underlying XLS files in Unity you need to change the paths:
Change the path of unity share in HKCU\Software\VB and VBA Program Settings\Unity\General\UnitySharedPath to: \\CYPSRVSQL001\unity
Change any additional desktop shortcut to the new UNC path: old: \\CYPSRVEXC001\unity\UnityElements new: \\CYPSRVSQL001\unity
You will also need a DSN reg key as per below. The Value data will be the name of the database.
When you open Excel using the FX Import option in unity the database path should be entered as follows:
Permission Unity Users
When multiple people in the office are unable to access or add accounts.
Call Laura Michael or Nick Terry, they have Admin rights on Unity.
In Unity go to security and choose "Permissions".
This opens the Permissions option.
Choose Unity form for the Object type. Then select the "group".
Only "admins" and "Users" groups are being used by the Cyprus office.
For the users, all Four settings need to say yes, this can be done by selecting one and press the green check mark in the left-hand corner.
Let the user log out of Unity and back in, the permission changes are immediate.
If you're still having issues please contact Microgen.
5. Install SQL client 2012 (Optional, if the PC/Citrix server doesn’t have)
ODBC Setup
USER DSN Configuration: (must be configured on the users’ profile. i.e must be logged in as the “User “ in his/her own PC or citrix session)
Go to ODBC Data Source Administrator > click “ADD”
(x86) C:\windows\system32\odbcad32
(x64) C:\windows\sysWOW64\odbcad32
Create New Data Source > Select SQL Server Native Client 11.0
2. Copy the settings on the screenshot below and click NEXT (The values will defer depending on the ODBC connection that was used to generate the screening deployed describe file)
3. Copy the settings on the screenshot below and click NEXT
Login ID: sgpsdws
Pw: (in pw db)
4. Copy the settings in the screen shot below and click NEXT
5. Click Finish and Click on “test Data source” > connection must complete successfully
6. Open Investigator application
("C:\Program Files (x86)\Screening Deployed\investigator.exe) – 64bit PC
("C:\Program Files\Screening Deployed\investigator.exe) – 32 bit PC
Login details
Username: W001
Pw: test1ng
A successful log in will mean that the USER DSN is working properly
END…
Europe - Bomgar PAM Console Monitoring and approval
The below instructions are meant for approving and monitoring the sessions which take place by third party support companies. Please see This Article To instruct third parties how to connect to Vistra's systems.
Approve a session:
When a Third party tries to access our system, they first select a system inside their PAM console and request for Access. The request includes the followwing information:
Request from
Request Reason
Request time
see below the request screen:
An E-mail will be sent including this request to the required approver(s). Depending on which group requires access one of the below mail group is used.
The email includes a hyperlink where the session can be approved including a comment. The comment will be shown to the requester upon accessing the server.
see below the approved notification which the third party recieves:
Monitor / Take over session
Third party sessions to Bomgar PAM is visible to Business system and Selected IT support members. Bomgar PAM console makes it possible to monitor or take over a session. The below steps helps you in using Bomgar Pam Console:
Start installing the Bomgar Pam Console from Sources$. Upon first run please pin this application to Windows task-bar for later access
Use your domain admin credentials to login:
If you followed the above steps correctly you should see the Bomgar PAM Console in your screen: a) Select all teams b) see the connected third parties and select one and hit (d)monitor/take Over(this will show their console. c) Select an active session to one of our server and hit (d)monitor/take over(this will show the console including their session to our server. e) Select the user to chat or send/recieve files or show your screen.
Note: when monitoring or taking over a session, confirm selecting the correct third party's screen. You will only see the Bomgar window on the correct screen by selecting that screen.
How to clean local print drivers from users machine When a user has problems with printing from their pc you can check if there are non-related printers installed on the machine. (for example: HP, Konica Minolta, Xerox)
To clean the print drivers you should follow the following steps:
1. Run cmd > net stop spooler
2. Clean up the registry: In the following registry key, Remove all unwanted subfolders but leave the Microsoft and PDF print drivers. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environment\Windows x64\Drivers\Version-3
3. Clean up drivers folder. in below folder Add a extra vieuw column in explorer named “company” C:\Windows\System32\spool\drivers\x64\3 Remove all .dll files from HP, Konica Minolta, Xerox You might want to kill tasks which are holding these dll files using task manager
4. Run cmd > start net spooler
5. Run printui /s /t2 Check if there are still printers installed which needs to be removed, and if needed remove them from here.
The below instructions are meant for Third parties on accessing the authorized systems inside Vistra network. You can also use the attachment to inform the autorized parties.
Click on the following application and accept the policy agreement. Note: You need Citrix receiver installed. If you are visiting the website on the a non-Microsoft web Browser you need to manually run the downloaded Citrix connection File after download.
Login with the same windows credentials in the next screen:
If you followed the above steps correctly you should see the Bomgar Console in your screen:
You will see the servers which you can request access for. Double click on a server to request access. Describe the reason for this connection and the time you need for this session. The required approver will receive an email which needs to be approved first.
Once approved you will get a popup inside the Bomgar Console which indicated the session is approved.
Inside Bomgar console, double click on the approved server again to start an RDP session. Login using the same windows credentials in the below popup
If you have followed the steps correctly you now have an RDP session to the server:
3) Click “Manage Users” then click “Browse Employees”
4) Now you can view all the employees you can now perform a comparison yourself between the Sharefile database & the spreadsheet (\\work.local\itsupport\Global\Sharefile Licensing) under the “CHE” Tab on the spreadsheet.
5) If you notice any users that are on the Sharefile database but aren’t on your spreadsheet then add them to the spreadsheet so you have a complete mirror comparison as the Sharefile database.
6) Once you have completed CHE you can now move onto doing the same check for LUX Vault by logging into - https://luxvault.sharefile.com(Log in details in Password Database)
7) Click “Manage Users” then click “Browse Employees”
8) Now you can view all the employees you can now perform a comparison yourself between the Sharefile database & the spreadsheet (\\work.local\itsupport\Global\Sharefile Licensing) under the “LUX” Tab on the spreadsheet.
9) After you have checked all the staff please ensure you do a total (As shown below) on both CHE & LUX.
10) Final Part - Click on the Licences tab, browse to - \\work.local\itsupport\Global\Accounts\OrdersIndex & update the spreadsheet with any recent purchases of Sharefile licences for both CHE & LUX. Task Complete
in FOG enabled offices, building/reimaging PC's are done though Image deployment using FOG server. This guide will explain how to use FOG to Deploy images to new and used machines. It is important however to remove existing PC's from Epolicy(EPO).
Process Summery:
The following steps are taken place to deploy a PC.
Registerhost/s by either preferred method
Through the PXE menu by choosing the option: Perform Full Host Registration and Inventory
Postimage: Wait until PC is up and run the postimage
Drivers: After reboot run the autoinstall drivers.
McAfee: move the host in McAfee Epo to the right group
The next part of this KB will explain the above steps in details. the preferred method is using PXE menu.
Detailed process:
The below detailed instructions explain how to deploy an image. NOTE!!: when buying PC's in batch, make sure the supplier is pre-enebling the below and providing you with a list of MAC-addresses.
In Bios change the setting to allow NIC and PXE booting. You also need enable NIC in boot sequence:
Boot the PC using F12key and select boot to NIC.
keep pressing the ARROW KEYS to avoid the machine skip the FOG PXE. untill you see the below menu.
Depending Whether the PC is new or used you should see the following screens. You need to Register new PC's First before being able to Deploy image on. Follow the steps:
New Machine Register and deploy
Used Machine Deploy
Upon selecting the Full host registration a Wizard will guide you through the process:
Type in the PC name (example: AMSWRK###)
Select the latest Image file (use ? for help)
type Y and Select the Correct Group (use ? for help) Example: AMS
Type N for Product Activation
Y for adding to AD
Leave the Primary user blank
Leave TAG1 and TAG2 blank
Y for deploying the imaging in to this PC
Enter your FOG Username and Password.
Force Shut down PC and start via PXE again.
Image will download to the PC now. Wait until you see the desktop. or are able to login using your domain account.
From desktop Run the green postimage icon shown in the right column.
Login with an admin account and run the autoinstall driver script from sources twice
Move to activate and Encrypt the PC in MacAfee Epolicy from lost&found>Workgroup.
After selecting Quick Image follow the below steps to Deploy the Image to this PC:
Enter your FOG Username and Password
Image will download to the PC now. Wait until you see the desktop. or are able to login using your domain account.
From desktop Run the green postimage icon shown in the right column.
Login with an admin account and run the autoinstall driver script from sources twice
Move to activate and Encrypt the PC in MacAfee Epolicy from lost&found>Workgroup. remove any double hostnames.
From here, login to the amssrvprn001 -> open Equitrac Office Manager -> select the printer and full in the correct Admin ID and password -> Initialize. This will take up to 5 minutes, the printer will be rebooted
Depending on the User's Function add the admin username in on of the below AD groups:
Application - IT - Vistra Group - Bomgar ITreps Application - IT - Vistra Group - Bomgar ITreps CEE Application - IT - Vistra Group - Bomgar ITManagers Application - IT - Vistra Group - Bomgar BSreps Application - IT - Vistra Group - Bomgar BSManagers
How to support users with Bomgar
There are different ways to support users using Bomgar. Please decide the best possible method depending on the situation and below chart:
link to support Portal: https://nlremotesupport.vistra.com/
This method is the fastest and easiest support method. "Jump Client" is a bomgar client tool which runs on Windows clients and is deployed through GPO. The current available offices are Amsterdam and Luxembourg. This feature will expand in other offices. Once this is done the pc will be available right from the Rep console. Unlike Jumping to a PC this method does not need installation which saves you time on connection
Search for the computer inside your Rep. Console.
Check if the right person is behind the pc:
Double click or hit button to remote connect.
Jump to:
In case the Jump client is not deployed or missing you can also manually run it:
in Rep console click on top of the screen on Jump to...
Select the correct JumpPoint where the PCin that Hub.(example: Jersey for LDNWRK pc’s)
If login screen appears. Login using your admin account.
Ask for user to accept.
Support Portal - Select Engineer
This method works best for following situation - The client is outside Vistra's network - Non of the previous methods works for clients
Users have the below red marked print queues in Amsterdam which they receive through GPO on logon. These print ques are installed on AMSSRVPRN001 and are virtual print queues. The physical queues are also installed on the same server. Equitrac database and services are installed on the same server. The services depends on windows standard services. example: DNS client service
When a user prints to these printers, the job will be held on the server until the same user authenticates on a printer. The job will then be forwarded to the physical print queue which is also installed on the same server. On the server use this shortcut to see the held jobs. You need to open the window from the taskbar after running this shortcut.
Card authentication: A new user needs to swipe hes/her schiphol pass and login using the same Windows username and password to register the pass(card)
Alternative authentication: In case the user don't have the Schiphol CARD, an alternative pincode may be needed to be created using the following steps:
On AMSSRVPRN001 run the following shortcut as administrator and connect to locahost
In the new window click on Users(A) and select the user by clicking (B)
Enter a unique 4 digit number(C) hit OK and give this pin to the user.
Troubleshooting
Users are having Printing issues:
Check weather there are services not running and restart them if needed. restarting should not give any error. In case you get dependency errors, check event viewer to find the missing/stopped windows services and start them accordingly
The authentication issues refear to EQ DCE Service
The printing jop issues refear to EQ DRE service
Cleaning the queue:
Use this only if the problem accures on all the printer and the above solution does not solve the issue.
Stop EQ DRE Service
Clean spool folder C:\Documents and Settings\svcamsprn\Local Settings\Application Data\Equitrac\Equitrac Platform Component\4\EQDRESrv\EQSpool
Start EQ DRE Service
Printer Inventory Amsterdam:
7th Floor
Entrance Left = 10.40.30.71 Entrance Right = 10.40.30.72
Pantry Left = 10.40.30.73 Pantry Right = 10.40.30.74
HR Left = 10.40.30.75 HR Right = 10.40.30.76
8th Floor
IT Left = 10.40.30.86 IT Right = 10.40.30.85
Support = 10.40.30.87
Entrance Left = 10.40.30.81 Entrance Right = 10.40.30.82
Pantry Left = 10.40.30.83 Pantry Right = 10.40.30.84
Mapped drive are assigned through Group Policy Objects across sites, devices, groups and in some cases even specific users. the following instructions explain how these policies are assigned and how to look at the attached sheet in this article.
The mapped group policies are assigned in multiple layers. See the corresponding Sheet columns (X) below in red. Please read the explanation and scroll down to download the excel sheet.
Sheet Column
Explanation of each Column
(A)
group policy name (GPO)
(B)
What drives letter/s GPO is mapping (marked red if not unique)
(C)
Each drive letter has its own UNC share path. Note: a drive letter might be used for more than one share. these drive letters are marked red in the sheet.
example: T drive in office A might be different to T drive in office b (different path)
(E)(F)
The GPO will apply to the specified group/s and/or user/s
(H)(I) (J)
The GPO is linked to 1 or more OU container in AD.
(M)(O)
filter: Even when you are part of the groups mentioned, sometimes you do not get the mapped drives required. This is because in same cases you also need to be part of more than one group to get that GPO applied to you.
(L)(N)
The columns indicates if is mandatory or optional (required either of the groups or both)
Please be advised that Policyhub uses SSO (single sign on) which connects to our ADFS (Active Directory Federation Services) server located in Amsterdam.
For the SSO process to work in IE we have deployed IE settings via a group policy. If you receive the below you will need to look at why the policy has not worked\applied however you can manually configure IE with the below settings to get SSO working:
Let either Wendy or Maro know if you have any further questions.
Example: Authentication prompt when IE Settings are incorrect
Mapped drive are assigned through Group Policy Objects across sites, devices, groups and in some cases even specific users. the following instructions explain how these policies are assigned and how to look at the attached sheet in this article.
The mapped group policies are assigned in multiple layers. See the corresponding Sheet columns (X) below in red. Please read the explanation and scroll down to download the excel sheet.
Sheet Column
Explanation of each Column
(A)
group policy name (GPO)
(B)
What drives letter/s GPO is mapping (marked red if not unique)
(C)
Each drive letter has its own UNC share path. Note: a drive letter might be used for more than one share. these drive letters are marked red in the sheet.
example: T drive in office A might be different to T drive in office b (different path)
(E)(F)
The GPO will apply to the specified group/s and/or user/s
(H)(I) (J)
The GPO is linked to 1 or more OU container in AD.
(M)(O)
filter: Even when you are part of the groups mentioned, sometimes you do not get the mapped drives required. This is because in same cases you also need to be part of more than one group to get that GPO applied to you.
(L)(N)
The columns indicates if is mandatory or optional (required either of the groups or both)
check the availability and select the correct domains and click on order
fill out the details:
Purchase Order Number – take this from IT order spreadsheet
Client – Select ‘Client Domain from list’
Division – Select office location for domain
Name Servers – this should always be Com Laude Global Servers for client domains
Registrant – this should always be Com Laude local presence for client domains (refer to example4 below)
Admin – this should always be Domain Administrator Com laude for client domains (refer to example5 below)
Comments – Add in any required comments
Requested by – Name of staff member requesting domain
Client Entity Number – This is the number from the offices business system for example viewpoint \ SAP
Services provides – enter the domain services i.e. email\website
Register immediately stops Com Laude check – note country domains usually take 2-3 days to register therefore this is only applicable for domains like .com
click on order:
check domain:
Group - Provision Mobilepass token to user on SAS portal
Check if you get the binary (exe files) in C:\Program Files (x86)\gemalto - Corrupt REG keys / insufficient access result in faulty installations and end up with insufficient amount of files(no exe files) (use M$ FIX it)
Add site to trusted zone and change the zone to accept any kind of ActiveX and set it up to low (Say Yes on the warning).
Make sure older versions are gone(setup path and IE addon) and clear java cache from control panel.
Check whether IE is running 32 bit mode through task manager (starting from the right path is not enough) Reset IE and delete cookies (don’t delete favorites/forms/password)
2) Launch “Viewer” on your desktop. Can also be found in (C:\Program Files (x86)\Canon Remote Operation Viewer 2.0).
3) Enter the IP Address of the Printer you want to connect to & click “OK” JERMFD01 – 10.4.30.101 JERMFD02 - 10.4.30.102 JERMFD03 - 10.4.30.103 JERMFD04 - 10.4.30.104
4) Password can be found in the password database under.. (Vistra/Jersey/Printers/Remote Assisting MFD Uniflow Screen)
5) You will now see the interface of the printer, you can watch what the user is attempting to do if they are experiencing a problem.
6) If you would like to log into the machine as an admin click “PIN Code”
7) You will be able to log into the admin interface of the printer. Password can be found in the password database under.. (Vistra/Jersey/Printers/Uniflow Admin Password)
Uniflow Jersey - Assigning a temporary pin RP 18/11/2015
1) Remote desktop to “JERSRVPRN01”
2) On your desktop you will see the below. “Uniflow Server Configuration”, Launch this.
3) Click “Continue to this website”
4) You will be asked to log in, click on the PIN option on the right hand side & the password to log in is in the Password DB.
5) You will then be able to see the Uniflow interface, click “Base Data” on the right hand side, then click “User”.
6) You will now be able to see all the users that are imported in Uniflow.
7) To search for the user that has forgotten there access card & needs a temporary pin code to print use the below highlighted filter function to search for the user.
8) Once you have found the user you want to assign a temporary pin code click on the user
9) Click “Add Identity”
10) Under the “Identity Type” you will see a option to choose called “Pin Code”, choose pin code.
11) Set a Pin Code under the “Value” column & click “Add Identity”
12) Click “Save + Back”
13) Set a reminder to remove the PIN Code the next morning.
14) Click the RED Cross (as shown below) to remove the pin code from the users account
current version 1.33_1611215 There is now a tool with GUI available to manage out of office for users. The following instructions explains running and using this tool.
Running the tool: Login to one of the admin servers and Run the OOO_v1 program from desktop:
AMSSRVADMIN001 (fastest)
LUXSRVADMIN01
JERSRVADMIN001
ZRHSRVADMIN01 (little slow)
HKGSRVADMIN01
<-icon
Using the tool: The basic workflow is: - Request the user from exchange - change his/her setting and message - Save changes
See the screenshot below. Each red marked number refer to the step below.
Optional: use the corresponding SRVEXC / USER / SRVAdmin for connection to get fast responses.
check your server and Click login. You will see a notification when this is successful: "Logged in successfully, there you go!"
Start Typingthe person's name / username in the DropDownfield. There is some auto complete functionality which you'll notice while typing.
Hit the "Show Stat" button to request the current Out of Office setting of that particular user.
Enable/Disable the out of office as requested.
Set internal/external/date options as requested.
Fill in the internal/external message as requested. (type Arial for font)
Save Changes
Hit Show Stat(3) to review the changes being applied and use the red icon on the top right corner to exit.
Pixel Building - Connection 1st floor <-> 4th floor
POST has installed a new small switch for the IP Telephone
Ports information on the panel
Port1 internet - small switch netgear gs205 Port2 ip tel - switch post ip tel LEBC Port3 ip tel - switch post small ip tel Vistra Port4 vistra network - port1 cisco switch
To upgrade EPO from 5.x.x to version 5.3 you have to follow the bellow steps :
CAUTION : Do not upgrade from 5.1.2 to 5.3. In this case go thru an intermediate version first (5.1.3 for example)
1/ Verify that the EPO SQL database has been backup correctly and create a checkpoint of the EPO server.
2/ Delete the temporary / log files of EPO software:
-Stop EPO services.
-Delete the file under the bellow folders:
<ePO_installation_directory>\Server\Temp
<ePO_installation_directory>\Server\Logs
<ePO_installation_directory>\DB\Logs
<ePO_installation_directory>\Apache2\Logs
-Start the EPO services
3/In the folder "UpgradeCompatibility" of the EPO package you downloaded , run the "UpgradeCompatibility.exe" file and install the needed modules on the EPO server.
4/ Once "Upgradecompatibility.exe" states that the system is upgrade ready , Run the "Setup.exe" of the EPO package
5/ Verify that all the jobs are working (repository update, build new PC, encryption..)
Barcelona - install Agencia Tributia Canaria models
Blue Coat tracks questions and requests for assistance for warranty and support contracts through a Service Request (SR) process. This is typically done by contacting a Global Support Center, or by opening a Service Request through the customer support portal, BlueTouch Online. As SRs are opened, technical information about the product, environment, and customer site will be collected, and a “service severity level” is assigned for each case.
The service severity is defined by the problem type and technical impact, and plays an important role by setting the initial response time, update frequency, and as guidance for the time to escalate issues to a higher level. By setting severity levels, Blue Coat is able to balance its resources for all customers, and to allow timely resolution of technical issues.
In the interest of customer satisfaction and efficient case management, a “duty manager” is on call 24x7 as a resource to assist customers who may feel that the severity of their issue has not been accurately characterized, or the response has not been within the stated timelines.
Severity Definitions
Severity Level
Severity Description
Severity 1 (Critical)
Network or application outage, network/application is "Down", no workaround.
Critical customer business operation is fully impaired by iadequate performance.
Impaired functionality, critically impacting customer's business operations.
Severity 2 (High)
Operational aspect of network or applications is severely degraded.
Continuous or frequent instabilities affecting customer business or network operations.
Inability to deploy a feature, function or capability.
Successful workaround in place for a severity 1 issue.
Severity 3 (Medium)
Performance of the network or application is impaired with limited impact to business operations.
A functional, stress or performance failure with a workaround.
Successful workaround in place for a severity 2 issue.
Severity 4 (Low)
Operational issues for certain features/capabilities with no impact to business operations and no loss of functionality.
General "how-to" questions.
Documentation/process issues.
Response & Escalation Times
Severity Level
Response Time *
Escalation Time **
Update Frequency
Severity 1
Immediate
2 hours
Continuous
Severity 2
1 hour
24 hours
Daily
Severity 3
8 business hours
5 business days
Weekly
Severity 4
3 business days
10 business days
Weekly
* S1 and S2 problems must be logged through the Global Support Center by telephone, or immediately followed up by telephone if logged through BlueTouch Online, to help ensure the response time target is met.
** Blue Coat will make every reasonable effort to resolve the reported customer problem, provide a work-around or escalate to the next level within the times listed. Blue Coat makes no commitment to resolve an issue within a specific time.
Response time is the time between initial contact and active engagement by a support engineer or duty manager. The response times stated here are targets only. Actual response times may vary.
Severity 1 requests are responded to on a 24X7 basis.
Severity 2 requests are responded to on a 24x7 basis, as agreed to between the customer and Blue Coat.
Severity 3 and 4 requests are responded to during normal business hours for the region where the SR was originated.
Case Escalation
To expedite the resolution or elevate the severity of a reported problem, Blue Coat encourages customers to contact the on-call duty manager. This can be done by making the request to the customer support engineer to whom the case is assigned or by calling the 24/7 global on-call duty manager contact line at:
+1 (408) 541 3700 (Worldwide), or additional toll-free or local phone numbers in select countries.
The duty manager role is not intended as a replacement to the existing Blue Coat support processes, rather a resource customers may turn to for additional management focus.
Preparing Your Request
When contacting the duty manager, please be ready to provide:
A current, active Service Request number
Clear contact information in the event of call-back which includes: > Primary contact name > Primary contact telephone number > E-mail information > Alternative contact(s) in the event of unavailability of the primary contact
Failure to provide this information may result in longer response times.
X-Series Case Handling Procedure
The objective of the escalation and notification process is to:
Ensure timely resolution of all customer situations
Provide a means of properly prioritizing problems
Provide management awareness of product and customer issues
Ensure proper resource allocation to meet End User problem resolution requirements
Provide assurances that Blue Coat is focused on providing timely resolutions to technical issues that impact the End User’s business operation.
By selecting the proper Priority, Blue Coat can ensure that high priority issues receive immediate attention. Making the proper selection is very important to the way Blue Coat processes incoming service requests. An improper selection may result in delays in the initial response time f or critical situations. Please use this selection with extreme care.
PRIORITY: The service engineer receives input from the End User on the impact of the issue on the End User’s normal business operations, and the service engineer sets the priority field to the appropriate level. These priorities will drive escalations outlined below. Blue Coat has implemented business notification rules based on these priority definitions. It is extremely important to fully understand a TRUE Business Impact of the issue and assign appropriate priority to a reported problem. Priority of an issue may change even while a case is open.
Priority 1 – Major business disruption Priority 2 - Significant business disruption Priority 3 – Minor business disruption Priority 4 – Minimum to No business impact
For Priority 1 problems (i.e. system outage) with Blue Coat hardware and software products (X -Series), our resolution goals and escalation time frames are as follows:
Response time goal - within 30 minutes
Restoration goal (workaround) - 24 hours
Replacement of HW component - Based on service plan
Temporary product fix (patch release or firmware upgrade) - 5 to 10 days
Permanent fix (maintenance release) - 60 to 90 days
For Priority 2 problems with Blue Coat hardware and software products (XOS and COS), our resolution goals and escalation time frames are as follows:
Response time goal - within 2 hours
Restoration goal (workaround) - 72 hours
A permanent solution will be incorporated into either a patch release or the next maintenance release.
For minor problem reports, our goal is to respond within 24 hours and provide a workaround or temporary solution within 10 days. A permanent solution will be incorporated into either a patch release or the next maintenance release.
Note: These resolution and escalation goals and time frames do not apply to third party software applications. Product enhancement requests will be submitted to our product management organization for consideration for the next major software release.
In order to properly characterize and diagnose reported problems, it is necessary for Blue Coat to have the required information indicated below available. This will allow a thorough investigation to take place. The following lists define the minimum sets of data to be collected at the time that a new issue is being reported to a Blue Coat Systems Support Center.
Detailed description of the issue
Description of troubleshooting that has already been completed
Time line of the problem
Description of business impact
“show-tech-support” output from X-Series platform and “cos-tech-support” output from C-Series platform. In a DBHA environment, information should be provided from both chassis.
/var/log/messages files from chassis. In a DBHA environment, information should be provided from both chassis.
Recent upgrades / downgrades for hardware and/or software
Console output from CPM/APM if available
Basic routing information
TCPDumps, other traces if available
In addition to above information, the Blue Coat support organization may request additional information to aid in the resolution process.
Screening Deployed is mainly used in Compliance departments. The data is saved on XXXSRVSD### servers and the client is either located on Citrix servers or locally on the some of the machines.
Client SETUP
To setup a new pc you need to install the client and create a SQL ODBC
Install MSI from \\amssrvfs001\sources$\ScreeningDeployed5.6_32 and select Client in the wizard
Open DBDescribe.xe from c:\Program Files (x86)\Screening Deployed and ask the senior of the team for the right settings.
-Database name: TMS5 -User: sa (sql instance) -Pass: ask the senior member of the team
ODBC SETUP
Depending on the machine run:
(x86) C:\windows\system32\odbcad32
(x64) C:\windows\sysWOW64\odbcad32
if connection missing create new iser DSN DATA Source > Select SQL Server with the following connection strngs: - Name: TMS5 - Description: NL Screening Deployed - SQL username: amssdws - Password: password manager
change default database to TMS5
enable use ANSI quoted identifiers and ANS nulls, paddings, and warnings
test the connection in the end.
Create secure connection (if the application is not working)
1. Open C:\program files (x86)\screening deployed -> DBDescribe.exe
2. Fill in all of the settings as below:
DSN: MLTTMS5 (Or the relevant data source name for the jurisdictions SD) DST: SQL Server Schema: dbo Owner ID: sa Owner Password : SA Password for the Screening Deployed SQL DB
testing software
Open Investigator application: ("C:\Program Files (x86)\Screening Deployed\investigator.exe) – 64bit PC ("C:\Program Files\Screening Deployed\investigator.exe) – 32 bit PC
RDP to the “Rubis” server and log in with your Admin account, and do the following
Demarrer
Tous Les Programmes
Core FTP
Core FTP Pro
If this is the first time you will use Core FTP then you will need to do the following to set up the connections to each bank
Creating a connection to LODH
When you open Core FTP the “Site Manager” will appear enter the following details.
Password is in the PW manager
Downloading and Extracting LODH files
a) From the site manager click on the LODH site and then connect
b) then in the right hand pane you will see an “in” and “out” folder please choose the OUT folder
c) within the left hand pane select the button, this is going to specify the location on where the files will be downloaded to.
For LODH choose the following location “D:\CPS\Interfaces\LODH\FTP”
d) from the right-hand pane within the OUT folder you will see “.exe” files. Each file shows the date and time it was uploaded. You will need to download all files from the time the download was done the previous day up to the current time and date. Note the time you did the download on the Daily Tasks spreadsheet.
For example, if the previous day's download was done at 13:00, you will need to download everything after 13:00 for the previous day, and all files for the current day.
Arrange the right hand pane by date then select all the “.exe” files from the current day, and all files that arrived after yesterday's download was done.
This will download the exe files into the location specified in part C
Once downloaded you will see the flies in the left hand pane
e) now use Windows explorer to UNC to D:\CPS\Interfaces\FTP
Each one of these files in Encrypted with the same password, this is also in the PW manager
Do the following to encrypt
Click on the file and WinRAR will open, keep the default location (if this is changed the file will not be uploaded into CPS) and click install
You will then be asked for the password (it’s in the PW manager)
Click OK and it’s done.
Now do the same for all the files for the day.
Once the have been extracted I usually move the .exe from of the day from the root of the FTP folder into “Nouveau Dossier” just to keep it clean.
How to install/change Internet Explorer Search engine.
Bluecoat happens to break google dynamic search results for some of the users. (even inside citrix) The webpage shows blank results When you use google search.
Workaround
Change Internet Explorer’s default search engine from Bing to Google. (see below image)
Internet Explorer address bar will now work the same way as Chrome address bar.
Explain the user how easy it is to search without actually going to google
The saying all roads lead to Rome applies in Windows menus as well. In some cases however accessing these menus are not possible through one of the methods.
This can be caused by permission, broken, locked and/or no free sessions. In these situations you can use an alternative way to access these applications by either run a command or browse to the alternative path.
Use the following list to alternatively run/open the programs/settings. Remembering some of these commands will help you speed up time you need to solve an issue as well.
If users are sending mail from a shared mailbox, such as hr.nl@vistra.com (NL Human Resources), but the sent mail is going into their own Sent Items folder, there is a powershell command that you can run:
There are two parameters we can use:
-SendAsItemsCopiedTo
-SendOnBehalfOfItemsCopiedTo
So we can configure “send as” and “send on behalf” behaviour separately.
There are two values we can use when configuring the sent items behaviour:
Sender – messages are stored in the Sent Items folder of the user that send the message
SenderAndFrom – messages are stored in both the Sent Items of the user who sent the message, and the Sent Items of the shared mailbox
To configure the NL Human Resources mailbox we can run the following command in the Exchange Management Shell:
[PS] C:\>Set-MailboxSentItemsConfiguration "NL Human Resources" -SendAsItemsCopiedTo:SenderAndFrom -SendOnBehalfOfItemsCopiedTo:SenderAndFrom
Printers in small to medium size offices where follow-me printing is not available should be setup on XXXSRVDC### servers. (replace Xes with location and numbers with the next available one)
Printers in larger offices and/or offices where follow-me printing solutions are available should be installed on their dedicated printer server XXXSRVPRN###
avoid installing different versions of the same brand drivers and use the universal company driver instead.
Always clean the unused drivers before installing or updating print drivers. you can run printui /s /t2 to see all the installed drivers.
Naming Use the correct naming convention as below:
Queue name: XXXPRN###
IP port name: x.x.x.x_queuename
Location: City AND reference (this can be room number/floor#/ server location)
comment: printer model (only if physical queue)
Security Change the printer queue security as below:
add and Allow all access for the following groups: - domain Admins - Security - IT - Vistra Group - Global Printer Administrators - Service account (if neeeded)
Allow Print only permission for the following group: - Everyone
Sharing
HKG Screening Deployed Client installation and ODBC Setup Guide
Install SQL client 2012 (Optional, if the PC/Citrix server doesn’t have)
ODBC Setup
USER DSN Configuration: (must be configured on the users’ profile. i.e must be logged in as the “User “ in his/her own PC or citrix session)
Go to ODBC Data Source Administrator > click “ADD”
(x86) C:\windows\system32\odbcad32
(x64) C:\windows\sysWOW64\odbcad32
Create New Data Source > Select SQL Server Native Client 11.0
If you cannot see the SQL Server Native Client 11.0 on the list, Installer is in \\hkgsrvsd01\support$\client install
Copy the settings on the screenshot below and click NEXT (The values will defer depending on the ODBC connection that was used to generate the screening deployed describe file)
Copy the settings on the screenshot below and click NEXT
Login ID: hkgsdws
Pw: (in pw db)
Copy the settings in the screen shot below and click NEXT
Click Finish and Click on “test Data source” > connection must complete successfully
Open Investigator application
("C:\Program Files (x86)\Screening Deployed\investigator.exe) – 64bit PC
("C:\Program Files\Screening Deployed\investigator.exe) – 32 bit PC
Login details
Username: W001
Pw: test1ng
A successful log in will mean that the USER DSN is working properly
Copy the config file and describe file from \\HKGSRVSD01\c$\support\file
And overwrite the config and describe file on the local PC
1. log into ops view (you must be an administrator) and go to the contacts.
2. Click on the users that will be getting this configured, then click on "submit and edit notification profiles"
3. now configure the IOS Push notification same as below.
4. go to the "host and service groups" in here you can choose what you want to be alerted for on your IOS device. - NOTE you will still be able to see all the hosts in the app if nothing is selected.
if you are configuring an android device tick "push notifications for Android Mobile"
Please note - this is a personal notification, so you can some in and pick and choose what you want to receive alerts on, without affecting other users.
5. now reload the config.
6. download the mobile app from the app store or android store.
5. "Opsview System Authentication" - this is your account you use to log into the Opsview Web Console
6."Ops View System Connection"
hostname - opsmon.vistra.com
REST API URL - /Rest
USE SSL - Enabled
HTTP AUTH Username - your ops view username
HTTP AUTH Password - your ops view password
7. "Push Notification Settings"
Username - itsupport_1
Password - in the password manager
Click done and that's it, give it time to load and then enjoy ;-)
1. go into Opsview and go to "Settings - Host Templates"
2. click on the "green plus"
3. Give the template a name
You can also specify the servers you would like to add to this template. Only if you have set the servers up. if you haven't you can come back and do it later on.
4. Once you Click on submit, you will need to choose the "Monitors" this is the services checks - example below.
to set up services checks in ops view go to - https://itsupport.vistra.com/hc/en-gb/articles/205640171-Group-Opsview-Setting-up-Service-Checks
once you click submit you will need to do a reload of the config.
it is worth spending the time on setting up good host templates, for example we have Vistra - Microsoft Exchange host template that has all the necessary services and disk space checks for the exchange servers. meaning we can add all the EXC servers from around the group into this once template.
if there is an additional service then edit this template and add the service, this will then be applied to all servers directly.
1. Log into the server you are setting up and check the services, from the example below these are the services I would like to set up.
2. open a note pad and copy the command below.
-H $HOSTADDRESS$ -c nsc_checkservicestate -a "ShowAll" 'Service Name=started'
replace "service name" with the name of the service you want to monitor.
-H $HOSTADDRESS$ -c nsc_checkservicestate -a "ShowAll" 'MSSQL$AMSSD=started'
see example of my notepad below, I have the service check and the display name
3. log into Opsview, and go to Settings -> Advanced -> Service Checks
4. Click on the Green Plus
5. you will now be on the "New Service Check" screen.
Name - will be the display name of the service.
Description - can be the same as the name.
Services Group - you can either add this to a pre created group, or "enter new" this will create a new service group.
Check Period - leave blank, so it picks up the host configuration
Plugin in - depends what type of check you are going setting up, but most of the time you will need to choose "check_nrpe
Arguments - this will be the line from the note pad we created before.
See example below.
6. Once you have summited the new check, you will now see it highlighted as Yellow, this means that the server is not yes committed to the configuration.
7. go to Setting -> Configuration -> Apply Changes
8. then click on reload configuration
please note, if you are setting up a few service checks, it is better to set them all up and do one reload rather then reloading the config each time.
1. go to Opsview.com and log into the site - details saved into the password manager.
2. go to resources and download the windows Opsview agent.
.
3. Once you have the client downloaded, copy the executable over to the server and run as admin. and press NEXT on the initial screen.
4. Accept the license and click NEXT.
5. keep all defaults on the below screen.
6. keep all defaults on the below screen.
7. keep all defaults on the below screen, and leave both fields blank.
8. install and finish
9. We now need to change the service to run under the SVCOPSVIEW. Open services on the server and navigate to the "Opsview NSClient++ Windows Agent (x64)" services.
Stop the service
open the service, and go to the log on tab and change the settings as per the below, Password in the Password DB
confirm the service is started with the work\svcopsview account.
that is all we need to do from the server side.
10. log into ops view, and go to -> Settings -> Host.
Click "Add New"
11. Fill in the Details for the IP and Host name and host group.
Host Templates.
These are pre defined template for servers but default for every server you should select the following.
"Vistra - Snow"
"Vistra - Opsview Agent"
"Vistra - Monitor NIC"
"Vistra - Mcafee"
"Vistra - Arcserve UDP Agent"
"Os - Windows Base"
to make it easier when setting up the same server it is a good idea to create host templates is save so much time, please refer to "Group - Ops View - Host Teamplate" guide for this.
but for this example you can see I have already created the host templates I needed.
12 "Monitored by" - Please select the monitoring server based on the location of the server you are setting up, for this example the server is in Amsterdam, so it will be monitored by the "Master Monitoring Server"
Master Monitoring Server - Amsterdam Master Opsview Server
HKGSRVOVS - Hong Kong Hub
SGPSRVOVS - Singapore Hub
JERSRVOVS - Jersey Hub
LUXSRVOVS - Luxembourg Hub
ZRHSRVOVS - Zurich Hub.
13. Then choose the "Host Group it will be Apart of, they are already pre created.
13. Chose the "Check Period" as 24x7 and leave the rest as default.
Note - it is possible to create time profiles for server that we boot daily, this prevents email alerts - this also needs to be set in the notification (explained later on in this guide)
15. before you click on submit go to "Notification" at the top
Next to Notify On - please tick "Down" and Recovery"
Note - it is possible to create time profiles for server that we boot daily, this prevents email alerts - this also needs to be set in the notification.
16. Go to the monitors tab
This is where you can add checks that are not part of a host template.
For example "Check C Drive". we add this manually to each server like this, so the value can be changed on a per host basis to reflects the disk on that server.
but any server can be added manually to any server via this service check tab.
17. You can now Submit and do a reload of the configuration.
18. Once the configuration has applied, so to the search box in the top right and search for the server you just added.
19. From the picture below you can see the server is now being monitored, and that we need to address some thing like deploy McAfee
once everything is green this process is completed.
Elsevier is a finance program for filling and sending archiving tax(including client data)forms. The program is portable and located in a share AMSSRVAPP001.The program exists out of multiple modules which are divided under separate folders based on the module and tax year.
It's important to know which module and which year the user needs. DAS module is used by IT department only. The following steps are required to complete the Elsevier software install request but is also useful in troubleshooting situations:
new user:
Assign a Elsevier (module+year) request ticket which is approved to a Senior staff member.
wait for the ticket to return
remote to user desktop and check weather the P drive is connected correctly and not used for any other purpose. connect it in case this is missing: \\amssrvapp001\elsevier$
place a shortcut on the user desktop from the appropriate requested module+year: P:\Elsevier\Database\MODULENAME\XZYYYEAR\XZYYEAR.exe for example: P:\Elsevier\Database\BTW\BtwWin2015\BtwWin2015.exe
Run the program and install the pdf printer when the wizard asks for it.
Let the user fill in hes information
inform the user to save the files to pdf and print it using the pdf reader
Sending forms digitaly: Only TLS 1.0 must be enabled and 1.1 and 1.2 disabled
Troubleshooting:
- Check weather the drive is mounted to the right share: \\amssrvapp001\elsevier$
- check weather the correct screenshot is being used
- Ask a senior staff to check the user inside DAS tool for his documentgroup rights and username.
Please use this guide if you get calls from users who have the McAfee Endpoint Encryption pre-boot authentication screen when they switch on the computer:
DO NOT ATTEMPT TO LOG THE USER IN WITH THEIR OWN OR YOUR OWN CREDENTIALS!
Ask the user to click 'Options' > 'Recovery' > 'Administrator Recovery'
They will then be given a client code which they will need to read to you.
Log onto whichever EPO the machine is currently on, go to Menu > Encryption Recovery and enter the client code.
You will then be given a response code, usually 2 lines which the user will need to enter. Once entered, click 'Finish' and the machine should boot into Windows.
Please then let Jamie, Amir or Jack know the machine number and location.
We're excited to announce that we're changing our name today to Webdiverseon. The name change gives us more definition as the Island's leading experts in search engine optimisation (hence, Webdiverseon!) and search marketing solutions. You'll find our new website at webdiverseon.com and our emails are changing as follows:
By expanding “Mailboxes” on the Navigation Pane on the left, you are able to see your own mailbox and those authorised to you. The structure of archive mailboxes is more or less the same as the one on outlook.
By expanding the Preview Pane on the right, you are able to see the email content of selected email.
On Preview Pane, you can click on the outlook icon to download selected email, in case you need to reply on it directly or reply as an attachment.
Paper Clip icon shown on email index stands for, mostly but not a must, attachment(s) on the email. For those having picture, eg. Company logo, on email signature Paper Clip icon is still shown on email index even without attachment on the email.
Searching Email:
Option A: Click on “Actions” on Tools bar and choose “Search”, you will be switched to Search page as shown below:
Option B: Click on “Search” tab and then “Exchange Archive” on the Navigation Pane on the left to go to Search page.
Tips for conducting a search on ArchiveWeb:
On the “Option” tab,
Check all “Search in Subject”, “Search in Message Text” and “Search in Attachment”
Put in your key word on “Fulltext”, double quote the key words if it’s more than one word, eg. “Hello Test”, to make sure relevant emails will be come out only.
On the “Mailboxes” tab,
Check the mailbox(es) in which you want to conduct the search
Jonathan Tassier Vigil Software Support Tel: 0845 2000 317 Fax: 0845 4900 246 Email: support@vigilsoftware.com
____________________________________ Vigil Software Limited 60-61 Mark Lane London EC3R 7ND United Kingdom Sales | 0845 2000 316 Support | 0845 2000 317 Fax | 0870 723 0206 Web | www.vigilsoftware.co.uk
You may be aware that Paula Thomas has recently left JT. I am currently in the process of reviewing Paulas account base and will advise your new Relationship Manager once this is complete.
In the interim, can I request that any sales or general enquiries are forwarded to our centralised team business.solutions@jtglobal.com or call 01534 882345 option 3 to ensure all your business requirements are fulfilled by the most appropriate channel.
Any faults should be directed to businessfaults@jtglobal.com or call 01534 882345 option 1. This will ensure you are connected to our service management centre without delay.
I appreciate your patience at this time, should you need a point of escalation, please feel free to contact me directly.
JT, PO Box 53, No 1 The Forum, Grenville Street, St Helier, Jersey, JE4 8PB JT, 24 High Street, St Peter Port, Guernsey, GY1 2JU, Registered Company no. 39971
I would like to advise that as of today, Monday 30th September, William Childe will be leaving JT.
Please be assured that a full and detailed handover has taken place.
We are in the process of recruiting for a replacement Relationship Manager and at this point have shortlisted potential candidates. As soon as an appointment has been made, we will contact you to arrange an introduction.
In the meantime should you need assistance with any existing or new products and services please refer to the attachment detailing the most appropriate contact for your needs.
I shall be making calls to those of you that are aware of Wills departure and have requested a call, please bear with me, I will endeavour to call you as quickly as possible.
I would like to thank you for your support during this transition period and would welcome any feedback you may have on any aspect of service received by JT Business Solutions. Should you wish to arrange an appointment or drop me an email please feel free to do so.
JT, PO Box 53, No 1 The Forum, Grenville Street, St Helier, Jersey, JE4 8PB JT, 24 High Street, St Peter Port, Guernsey, GY1 2JU, Registered Company no. 39971
Kabir Assis will be your UK contact and Joakim.tenne is Insight´s global account manager.We have at this time also agr with Lenovo,Symantec etc.If you are looking for some spec software or hardware we might be able to find you a better price .If you have any questions,pls send me a mail or give me a call.
Regards
Rolf Carrick
Phone + 46 8 7020500
Mob +46 70 727039
Kabir Assi | UK Account Executive| Insight UK | The Atrium, 1 Harefield Road, Uxbridge, UB8 1PH
The saying all roads lead to Rome applies in Windows menus as well. In some cases however accessing these menus are not possible through one of the methods.
This can be caused by permission, broken, locked and/or no free sessions. In these situations you can use an alternative way to access these applications by either run a command or browse to the alternative path.
Use the following list to alternatively run/open the programs/settings. Remembering some of these commands will help you speed up time you need to solve an issue as well.
If users are sending mail from a shared mailbox, such as hr.nl@vistra.com (NL Human Resources), but the sent mail is going into their own Sent Items folder, there is a powershell command that you can run:
There are two parameters we can use:
-SendAsItemsCopiedTo
-SendOnBehalfOfItemsCopiedTo
So we can configure “send as” and “send on behalf” behaviour separately.
There are two values we can use when configuring the sent items behaviour:
Sender – messages are stored in the Sent Items folder of the user that send the message
SenderAndFrom – messages are stored in both the Sent Items of the user who sent the message, and the Sent Items of the shared mailbox
To configure the NL Human Resources mailbox we can run the following command in the Exchange Management Shell:
[PS] C:\>Set-MailboxSentItemsConfiguration "NL Human Resources" -SendAsItemsCopiedTo:SenderAndFrom -SendOnBehalfOfItemsCopiedTo:SenderAndFrom
Printers in small to medium size offices where follow-me printing is not available should be setup on XXXSRVDC### servers. (replace Xes with location and numbers with the next available one)
Printers in larger offices and/or offices where follow-me printing solutions are available should be installed on their dedicated printer server XXXSRVPRN###
avoid installing different versions of the same brand drivers and use the universal company driver instead.
Always clean the unused drivers before installing or updating print drivers. you can run printui /s /t2 to see all the installed drivers.
Naming Use the correct naming convention as below:
Queue name: XXXPRN###
IP port name: x.x.x.x_queuename
Location: City AND reference (this can be room number/floor#/ server location)
comment: printer model (only if physical queue)
Security Change the printer queue security as below:
add and Allow all access for the following groups: - domain Admins - Security - IT - Vistra Group - Global Printer Administrators - Service account (if neeeded)
Allow Print only permission for the following group: - Everyone
Sharing
HKG Screening Deployed Client installation and ODBC Setup Guide
Install SQL client 2012 (Optional, if the PC/Citrix server doesn’t have)
ODBC Setup
USER DSN Configuration: (must be configured on the users’ profile. i.e must be logged in as the “User “ in his/her own PC or citrix session)
Go to ODBC Data Source Administrator > click “ADD”
(x86) C:\windows\system32\odbcad32
(x64) C:\windows\sysWOW64\odbcad32
Create New Data Source > Select SQL Server Native Client 11.0
If you cannot see the SQL Server Native Client 11.0 on the list, Installer is in \\hkgsrvsd01\support$\client install
Copy the settings on the screenshot below and click NEXT (The values will defer depending on the ODBC connection that was used to generate the screening deployed describe file)
Copy the settings on the screenshot below and click NEXT
Login ID: hkgsdws
Pw: (in pw db)
Copy the settings in the screen shot below and click NEXT
Click Finish and Click on “test Data source” > connection must complete successfully
Open Investigator application
("C:\Program Files (x86)\Screening Deployed\investigator.exe) – 64bit PC
("C:\Program Files\Screening Deployed\investigator.exe) – 32 bit PC
Login details
Username: W001
Pw: test1ng
A successful log in will mean that the USER DSN is working properly
Copy the config file and describe file from \\HKGSRVSD01\c$\support\file
And overwrite the config and describe file on the local PC
1. log into ops view (you must be an administrator) and go to the contacts.
2. Click on the users that will be getting this configured, then click on "submit and edit notification profiles"
3. now configure the IOS Push notification same as below.
4. go to the "host and service groups" in here you can choose what you want to be alerted for on your IOS device. - NOTE you will still be able to see all the hosts in the app if nothing is selected.
if you are configuring an android device tick "push notifications for Android Mobile"
Please note - this is a personal notification, so you can some in and pick and choose what you want to receive alerts on, without affecting other users.
5. now reload the config.
6. download the mobile app from the app store or android store.
5. "Opsview System Authentication" - this is your account you use to log into the Opsview Web Console
6."Ops View System Connection"
hostname - opsmon.vistra.com
REST API URL - /Rest
USE SSL - Enabled
HTTP AUTH Username - your ops view username
HTTP AUTH Password - your ops view password
7. "Push Notification Settings"
Username - itsupport_1
Password - in the password manager
Click done and that's it, give it time to load and then enjoy ;-)
1. go into Opsview and go to "Settings - Host Templates"
2. click on the "green plus"
3. Give the template a name
You can also specify the servers you would like to add to this template. Only if you have set the servers up. if you haven't you can come back and do it later on.
4. Once you Click on submit, you will need to choose the "Monitors" this is the services checks - example below.
to set up services checks in ops view go to - https://itsupport.vistra.com/hc/en-gb/articles/205640171-Group-Opsview-Setting-up-Service-Checks
once you click submit you will need to do a reload of the config.
it is worth spending the time on setting up good host templates, for example we have Vistra - Microsoft Exchange host template that has all the necessary services and disk space checks for the exchange servers. meaning we can add all the EXC servers from around the group into this once template.
if there is an additional service then edit this template and add the service, this will then be applied to all servers directly.
1. Log into the server you are setting up and check the services, from the example below these are the services I would like to set up.
2. open a note pad and copy the command below.
-H $HOSTADDRESS$ -c nsc_checkservicestate -a "ShowAll" 'Service Name=started'
replace "service name" with the name of the service you want to monitor.
-H $HOSTADDRESS$ -c nsc_checkservicestate -a "ShowAll" 'MSSQL$AMSSD=started'
see example of my notepad below, I have the service check and the display name
3. log into Opsview, and go to Settings -> Advanced -> Service Checks
4. Click on the Green Plus
5. you will now be on the "New Service Check" screen.
Name - will be the display name of the service.
Description - can be the same as the name.
Services Group - you can either add this to a pre created group, or "enter new" this will create a new service group.
Check Period - leave blank, so it picks up the host configuration
Plugin in - depends what type of check you are going setting up, but most of the time you will need to choose "check_nrpe
Arguments - this will be the line from the note pad we created before.
See example below.
6. Once you have summited the new check, you will now see it highlighted as Yellow, this means that the server is not yes committed to the configuration.
7. go to Setting -> Configuration -> Apply Changes
8. then click on reload configuration
please note, if you are setting up a few service checks, it is better to set them all up and do one reload rather then reloading the config each time.
1. go to Opsview.com and log into the site - details saved into the password manager.
2. go to resources and download the windows Opsview agent.
.
3. Once you have the client downloaded, copy the executable over to the server and run as admin. and press NEXT on the initial screen.
4. Accept the license and click NEXT.
5. keep all defaults on the below screen.
6. keep all defaults on the below screen.
7. keep all defaults on the below screen, and leave both fields blank.
8. install and finish
9. We now need to change the service to run under the SVCOPSVIEW. Open services on the server and navigate to the "Opsview NSClient++ Windows Agent (x64)" services.
Stop the service
open the service, and go to the log on tab and change the settings as per the below, Password in the Password DB
confirm the service is started with the work\svcopsview account.
that is all we need to do from the server side.
10. log into ops view, and go to -> Settings -> Host.
Click "Add New"
11. Fill in the Details for the IP and Host name and host group.
Host Templates.
These are pre defined template for servers but default for every server you should select the following.
"Vistra - Snow"
"Vistra - Opsview Agent"
"Vistra - Monitor NIC"
"Vistra - Mcafee"
"Vistra - Arcserve UDP Agent"
"Os - Windows Base"
to make it easier when setting up the same server it is a good idea to create host templates is save so much time, please refer to "Group - Ops View - Host Teamplate" guide for this.
but for this example you can see I have already created the host templates I needed.
12 "Monitored by" - Please select the monitoring server based on the location of the server you are setting up, for this example the server is in Amsterdam, so it will be monitored by the "Master Monitoring Server"
Master Monitoring Server - Amsterdam Master Opsview Server
HKGSRVOVS - Hong Kong Hub
SGPSRVOVS - Singapore Hub
JERSRVOVS - Jersey Hub
LUXSRVOVS - Luxembourg Hub
ZRHSRVOVS - Zurich Hub.
13. Then choose the "Host Group it will be Apart of, they are already pre created.
13. Chose the "Check Period" as 24x7 and leave the rest as default.
Note - it is possible to create time profiles for server that we boot daily, this prevents email alerts - this also needs to be set in the notification (explained later on in this guide)
15. before you click on submit go to "Notification" at the top
Next to Notify On - please tick "Down" and Recovery"
Note - it is possible to create time profiles for server that we boot daily, this prevents email alerts - this also needs to be set in the notification.
16. Go to the monitors tab
This is where you can add checks that are not part of a host template.
For example "Check C Drive". we add this manually to each server like this, so the value can be changed on a per host basis to reflects the disk on that server.
but any server can be added manually to any server via this service check tab.
17. You can now Submit and do a reload of the configuration.
18. Once the configuration has applied, so to the search box in the top right and search for the server you just added.
19. From the picture below you can see the server is now being monitored, and that we need to address some thing like deploy McAfee
once everything is green this process is completed.
Elsevier is a finance program for filling and sending archiving tax(including client data)forms. The program is portable and located in a share AMSSRVAPP001.The program exists out of multiple modules which are divided under separate folders based on the module and tax year.
It's important to know which module and which year the user needs. DAS module is used by IT department only. The following steps are required to complete the Elsevier software install request but is also useful in troubleshooting situations:
new user:
Assign a Elsevier (module+year) request ticket which is approved to a Senior staff member.
wait for the ticket to return
remote to user desktop and check weather the P drive is connected correctly and not used for any other purpose. connect it in case this is missing: \\amssrvapp001\elsevier$
place a shortcut on the user desktop from the appropriate requested module+year: P:\Elsevier\Database\MODULENAME\XZYYYEAR\XZYYEAR.exe for example: P:\Elsevier\Database\BTW\BtwWin2015\BtwWin2015.exe
Run the program and install the pdf printer when the wizard asks for it.
Let the user fill in hes information
inform the user to save the files to pdf and print it using the pdf reader
Sending forms digitaly: Only TLS 1.0 must be enabled and 1.1 and 1.2 disabled
Troubleshooting:
- Check weather the drive is mounted to the right share: \\amssrvapp001\elsevier$
- check weather the correct screenshot is being used
- Ask a senior staff to check the user inside DAS tool for his documentgroup rights and username.
Please use this guide if you get calls from users who have the McAfee Endpoint Encryption pre-boot authentication screen when they switch on the computer:
DO NOT ATTEMPT TO LOG THE USER IN WITH THEIR OWN OR YOUR OWN CREDENTIALS!
Ask the user to click 'Options' > 'Recovery' > 'Administrator Recovery'
They will then be given a client code which they will need to read to you.
Log onto whichever EPO the machine is currently on, go to Menu > Encryption Recovery and enter the client code.
You will then be given a response code, usually 2 lines which the user will need to enter. Once entered, click 'Finish' and the machine should boot into Windows.
Please then let Jamie, Amir or Jack know the machine number and location.
We're excited to announce that we're changing our name today to Webdiverseon. The name change gives us more definition as the Island's leading experts in search engine optimisation (hence, Webdiverseon!) and search marketing solutions. You'll find our new website at webdiverseon.com and our emails are changing as follows:
By expanding “Mailboxes” on the Navigation Pane on the left, you are able to see your own mailbox and those authorised to you. The structure of archive mailboxes is more or less the same as the one on outlook.
By expanding the Preview Pane on the right, you are able to see the email content of selected email.
On Preview Pane, you can click on the outlook icon to download selected email, in case you need to reply on it directly or reply as an attachment.
Paper Clip icon shown on email index stands for, mostly but not a must, attachment(s) on the email. For those having picture, eg. Company logo, on email signature Paper Clip icon is still shown on email index even without attachment on the email.
Searching Email:
Option A: Click on “Actions” on Tools bar and choose “Search”, you will be switched to Search page as shown below:
Option B: Click on “Search” tab and then “Exchange Archive” on the Navigation Pane on the left to go to Search page.
Tips for conducting a search on ArchiveWeb:
On the “Option” tab,
Check all “Search in Subject”, “Search in Message Text” and “Search in Attachment”
Put in your key word on “Fulltext”, double quote the key words if it’s more than one word, eg. “Hello Test”, to make sure relevant emails will be come out only.
On the “Mailboxes” tab,
Check the mailbox(es) in which you want to conduct the search
Jonathan Tassier Vigil Software Support Tel: 0845 2000 317 Fax: 0845 4900 246 Email: support@vigilsoftware.com
____________________________________ Vigil Software Limited 60-61 Mark Lane London EC3R 7ND United Kingdom Sales | 0845 2000 316 Support | 0845 2000 317 Fax | 0870 723 0206 Web | www.vigilsoftware.co.uk
You may be aware that Paula Thomas has recently left JT. I am currently in the process of reviewing Paulas account base and will advise your new Relationship Manager once this is complete.
In the interim, can I request that any sales or general enquiries are forwarded to our centralised team business.solutions@jtglobal.com or call 01534 882345 option 3 to ensure all your business requirements are fulfilled by the most appropriate channel.
Any faults should be directed to businessfaults@jtglobal.com or call 01534 882345 option 1. This will ensure you are connected to our service management centre without delay.
I appreciate your patience at this time, should you need a point of escalation, please feel free to contact me directly.
JT, PO Box 53, No 1 The Forum, Grenville Street, St Helier, Jersey, JE4 8PB JT, 24 High Street, St Peter Port, Guernsey, GY1 2JU, Registered Company no. 39971
I would like to advise that as of today, Monday 30th September, William Childe will be leaving JT.
Please be assured that a full and detailed handover has taken place.
We are in the process of recruiting for a replacement Relationship Manager and at this point have shortlisted potential candidates. As soon as an appointment has been made, we will contact you to arrange an introduction.
In the meantime should you need assistance with any existing or new products and services please refer to the attachment detailing the most appropriate contact for your needs.
I shall be making calls to those of you that are aware of Wills departure and have requested a call, please bear with me, I will endeavour to call you as quickly as possible.
I would like to thank you for your support during this transition period and would welcome any feedback you may have on any aspect of service received by JT Business Solutions. Should you wish to arrange an appointment or drop me an email please feel free to do so.
JT, PO Box 53, No 1 The Forum, Grenville Street, St Helier, Jersey, JE4 8PB JT, 24 High Street, St Peter Port, Guernsey, GY1 2JU, Registered Company no. 39971
Kabir Assis will be your UK contact and Joakim.tenne is Insight´s global account manager.We have at this time also agr with Lenovo,Symantec etc.If you are looking for some spec software or hardware we might be able to find you a better price .If you have any questions,pls send me a mail or give me a call.
Regards
Rolf Carrick
Phone + 46 8 7020500
Mob +46 70 727039
Kabir Assi | UK Account Executive| Insight UK | The Atrium, 1 Harefield Road, Uxbridge, UB8 1PH
This is my contact information, what I will do for you is look after your account, nice personal service for you with no obligation to spend.
If there are any business needs like prices on IT Equipment, looking to expand your business/offices even close a office we can help, very useful company with the big BT brand name and buying power behind us.
Look forward to hearing from you
I’m Alex Thorn
From now on when you look at any IT equipment or services on our website http://www.businessdirect.bt.com, you can call or email me directly and get me working for you, finding very competitive prices, looking for any information, and giving you good advice about the products and services that we provide.. I will do everything I can to get you some good prices and grate service.
I welcome all queries via my direct line: 0870 429 3771
Thanks very much for taking the time to meet with me last week. As discussed, should it be required we do have an escalation path, please do not hesitate to contact me if you have any questions.
Escalation Path
The Service Bureau team cover the hours of 07:00 to 18:00, team listed below:
The role of the Customer Care team is to keep in regular contact with customers and be an addition escalation path for customers. Within the Customer Care team we have Rena Carey, Andy Maloney, Lorraine Esposito and Carol Lovesey, who can be reached by the generic address of clientcare@bottomline.com +44 (0) 20 7940 4200 (which is the best option in case of holidays and meetings) or individual details are listed below:
Head of SWIFT Access Service - Christian Antrobus who has overall responsibility for the SWIFT operations, both for bureau customers and customers with their own infrastructure.
Jonathan Tassier Vigil Software Support Tel: 0845 2000 317 Fax: 0845 4900 246 Email: support@vigilsoftware.com
____________________________________ Vigil Software Limited 60-61 Mark Lane London EC3R 7ND United Kingdom Sales | 0845 2000 316 Support | 0845 2000 317 Fax | 0870 723 0206 Web | www.vigilsoftware.co.uk
To follow on from the relocation of the Talentia Maidenhead team to the new Talentia London office we are pleased to announce a new support structure that should benefit all our clients.
With immediate effect all support queries will be managed, in the first instance, by our dedicated support team based in London. The support team are available between 9am to 5.30pm weekdays (excluding UK Bank Holidays) and can be contacted via the phone or email.
It is our preference that all support incidents are raised by email as this automatically logs your call via our support system.
Using this dedicated email address for support will enable us to provide a better service to you by ensuring that all communications between you and our team are recorded via our support desk. Such an approach means that the information required to progress your call is available to all members of Talentia Software who may be involved in the resolution of your specific query.
Should you have any queries please feel free to contact the Support Manager, Susan Murray on the number provided above.
Kind regards,
Talentia UK Support Team
Talentia Software - 46 Loman Street, London SE1 OEH
Metalogix is improving and investing in our customer service systems to ensure that we provide the highest level of support. We have transitioned to a new CRM system and beginning July 16, 2012, all requests for support assistance should be performed through the portal at http://www.metalogix.com/Tools/SubmitTicket.aspx or by phone at +1.202.609.9100.
The support@metalogix.net email will no longer be monitored as it is today and your service response time will be extended if you send an email to that address. We are confident that you will find the portal to be simple and easy to use, allowing our dispatch team to quickly and effectively process your request for assistance.
If you have any questions or concerns, please feel free to contact me directly.
From: Sharp, Kate [mailto:kate.sharp@advent.com] Sent: 18 September 2012 13:23 To: Sharp, Kate Subject: EMEA Support Phone Numbers
Dear Client
We would like to notify you that we have enabled two new EMEA support numbers:
UK Toll Free: (0) 800 358 9686 - This number is for clients located in England use only
UK Regional: 44-20-7071-3850 - This number is accessible to all our clients
Our support team will be available between 8:00am and 5:30 pm Monday – Friday except UK Bank Holidays.
If you are unable to reach our Support team in London the call will be transferred to the US Geneva Support team.
Outside of UK and US business hours you can either leave a voicemail or press 1 for Urgent after hours Geneva support.
Case Submission
As we will no longer be actively monitoring our group e-mail genevasupport@advent.com as an initialization point for cases, please use Advent Connection to submit new support cases. Through Advent Connection, cases will be routed directly to our subject matter experts within our Knowledge Group support structure.
There is an FAQ Knowledge Base article on Connection describing the retiring of the Geneva Support group e-mail address. Please see KB A35496. We also have documents on Connection that provide an overview of our Knowledge Group model (Global Accounts Client Support) and steps to submit a case online (Online Support Case Management).
This is my contact information, what I will do for you is look after your account, nice personal service for you with no obligation to spend.
If there are any business needs like prices on IT Equipment, looking to expand your business/offices even close a office we can help, very useful company with the big BT brand name and buying power behind us.
Look forward to hearing from you
I’m Alex Thorn
From now on when you look at any IT equipment or services on our website http://www.businessdirect.bt.com, you can call or email me directly and get me working for you, finding very competitive prices, looking for any information, and giving you good advice about the products and services that we provide.. I will do everything I can to get you some good prices and grate service.
I welcome all queries via my direct line: 0870 429 3771
Thanks very much for taking the time to meet with me last week. As discussed, should it be required we do have an escalation path, please do not hesitate to contact me if you have any questions.
Escalation Path
The Service Bureau team cover the hours of 07:00 to 18:00, team listed below:
The role of the Customer Care team is to keep in regular contact with customers and be an addition escalation path for customers. Within the Customer Care team we have Rena Carey, Andy Maloney, Lorraine Esposito and Carol Lovesey, who can be reached by the generic address of clientcare@bottomline.com +44 (0) 20 7940 4200 (which is the best option in case of holidays and meetings) or individual details are listed below:
Head of SWIFT Access Service - Christian Antrobus who has overall responsibility for the SWIFT operations, both for bureau customers and customers with their own infrastructure.
Jonathan Tassier Vigil Software Support Tel: 0845 2000 317 Fax: 0845 4900 246 Email: support@vigilsoftware.com
____________________________________ Vigil Software Limited 60-61 Mark Lane London EC3R 7ND United Kingdom Sales | 0845 2000 316 Support | 0845 2000 317 Fax | 0870 723 0206 Web | www.vigilsoftware.co.uk
To follow on from the relocation of the Talentia Maidenhead team to the new Talentia London office we are pleased to announce a new support structure that should benefit all our clients.
With immediate effect all support queries will be managed, in the first instance, by our dedicated support team based in London. The support team are available between 9am to 5.30pm weekdays (excluding UK Bank Holidays) and can be contacted via the phone or email.
It is our preference that all support incidents are raised by email as this automatically logs your call via our support system.
Using this dedicated email address for support will enable us to provide a better service to you by ensuring that all communications between you and our team are recorded via our support desk. Such an approach means that the information required to progress your call is available to all members of Talentia Software who may be involved in the resolution of your specific query.
Should you have any queries please feel free to contact the Support Manager, Susan Murray on the number provided above.
Kind regards,
Talentia UK Support Team
Talentia Software - 46 Loman Street, London SE1 OEH
Metalogix is improving and investing in our customer service systems to ensure that we provide the highest level of support. We have transitioned to a new CRM system and beginning July 16, 2012, all requests for support assistance should be performed through the portal at http://www.metalogix.com/Tools/SubmitTicket.aspx or by phone at +1.202.609.9100.
The support@metalogix.net email will no longer be monitored as it is today and your service response time will be extended if you send an email to that address. We are confident that you will find the portal to be simple and easy to use, allowing our dispatch team to quickly and effectively process your request for assistance.
If you have any questions or concerns, please feel free to contact me directly.
From: Sharp, Kate [mailto:kate.sharp@advent.com] Sent: 18 September 2012 13:23 To: Sharp, Kate Subject: EMEA Support Phone Numbers
Dear Client
We would like to notify you that we have enabled two new EMEA support numbers:
UK Toll Free: (0) 800 358 9686 - This number is for clients located in England use only
UK Regional: 44-20-7071-3850 - This number is accessible to all our clients
Our support team will be available between 8:00am and 5:30 pm Monday – Friday except UK Bank Holidays.
If you are unable to reach our Support team in London the call will be transferred to the US Geneva Support team.
Outside of UK and US business hours you can either leave a voicemail or press 1 for Urgent after hours Geneva support.
Case Submission
As we will no longer be actively monitoring our group e-mail genevasupport@advent.com as an initialization point for cases, please use Advent Connection to submit new support cases. Through Advent Connection, cases will be routed directly to our subject matter experts within our Knowledge Group support structure.
There is an FAQ Knowledge Base article on Connection describing the retiring of the Geneva Support group e-mail address. Please see KB A35496. We also have documents on Connection that provide an overview of our Knowledge Group model (Global Accounts Client Support) and steps to submit a case online (Online Support Case Management).
Click on the drop down for “Manage”, Click on the bottom option “Disabled Items”
Highlight the “worksite office 2007 Integration” addin and click enable
Once you have enabled the add-in, navigate back to the drop down menu near “Manage” and This time click on “COM Add-ins”.
You will then see the below add-ins, you then will have to tick “Worksite Office 2007 Integration”, then click “Ok” on the top right hand side.
So overall you have gone and checked to see if the add in is disabled, you’ve re enabled it, then you’ve gone and made the add in available by ticking the addin and applying the changes.
A Farm is a group of Citrix servers which provides published applications to all users that can be managed as a unit, enabling the administrator to configure features and settings for the entire farm rather than configuring each server individually. All the servers in the farm share a single data store.
RDP to AMSSRVADMIN001
Open Citrix AppCenter
Check for a citrix server in AD based on user location. Follow steps below. Change lux in luxsrvctx to user's location.
In AppCenter navigate to action > Configure and run discovery
Click Next
Press Add and then type in any of the server names found in Point 3, then click OK
Click Next twice and wait for discovery process to complete
Click Finish. You have just added Server Farm to the left panel.
Citrix - Add Farm in Citrix Studio (new environment)
A Farm is a group of Citrix servers which provides published applications to all users that can be managed as a unit, enabling the administrator to configure features and settings for the entire farm rather than configuring each server individually. All the servers in the farm share a single data store.
All new citrix environment farms are connected automaticity when launching Citrix Studio
RDP to AMSSRVADMIN001
Open Citrix Studio
Citrix - Assign user to a desktop in AppCenter (old environment)
Names of Print server and ZRHWRKXXX that have brother printer's shared on them have been added to following strings in the policy.